Cross-site Scripting (XSS)
Description
Whoogle-search before 0.7.2 has a stored/reflected XSS via the 'q' parameter when it does not contain 'http', due to unsafe use of the Jinja2 safe filter.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Whoogle-search before 0.7.2 has a stored/reflected XSS via the 'q' parameter when it does not contain 'http', due to unsafe use of the Jinja2 safe filter.
Vulnerability
Analysis
The vulnerability exists in whoogle-search versions prior to 0.7.2. The application takes the user-supplied q query string parameter and, if it does not contain the substring http, uses it to construct an error_message. This message is then passed to the error.html template via Flask's render_template function [2]. Crucially, the template renders this string using Jinja2's | safe filter, which disables automatic HTML escaping and allows arbitrary HTML/JavaScript to be injected [1][3].
Exploitation
Scenario
An attacker can craft a malicious URL containing a q parameter with a JavaScript payload, such as http://localhost:5000/url?q= [3]. Any user who visits this link will have the script executed in their browser context. No authentication is required to trigger the vulnerability, and the attack surface is the public-facing search interface. The exploit does not require the attacker to be logged in or have any special network position beyond being able to deliver the crafted link to a victim.
Impact
Successful exploitation allows an attacker to execute arbitrary JavaScript in the victim's browser, leading to cross-site scripting (XSS) attacks. This can enable session hijacking, credential theft, defacement, or redirection to malicious sites. Since whoogle-search is a privacy-respecting metasearch engine often self-hosted, an XSS could compromise the security of the host instance and any users relying on it.
Mitigation
The vulnerability is fixed in whoogle-search version 0.7.2 [1][3]. Users should upgrade to this version or later. As of 2022, the advisory databases have marked the issue as resolved [4]. There is no indication that this CVE is listed in CISA's Known Exploited Vulnerabilities catalog.
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
whoogle-searchPyPI | < 0.7.2 | 0.7.2 |
Affected products
2- whoogle-search/whoogle-searchdescription
Patches
1abc30d7da3b5Render error message w/o `safe` filter
1 file changed · +1 −1
app/templates/error.html+1 −1 modified@@ -16,7 +16,7 @@ <div> <h1>Error</h1> <p> - {{ error_message|safe }} + {{ error_message }} </p> <hr> <p>
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
6- github.com/advisories/GHSA-mxvc-fwgx-j778ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2022-25303ghsaADVISORY
- github.com/benbusby/whoogle-search/blob/6d362ca5c7a00d2f691a2512461c5dfbfc01cbb3/app/routes.py%23L448ghsax_refsource_MISCWEB
- github.com/benbusby/whoogle-search/commit/abc30d7da3b5c67be7ce84d4699f327442d44606ghsax_refsource_MISCWEB
- github.com/pypa/advisory-database/tree/main/vulns/whoogle-search/PYSEC-2022-226.yamlghsaWEB
- snyk.io/vuln/SNYK-PYTHON-WHOOGLESEARCH-2803306ghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.