High severityNVD Advisory· Published Nov 11, 2022· Updated Apr 23, 2025

wsgidav is vulnerable to Cross-Site Scripting (XSS) when directory browsing is enabled

CVE-2022-41905

Description

WsgiDAV directory browsing susceptible to XSS; upgrade to v4.1.0 or disable dir_browser.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

WsgiDAV directory browsing susceptible to XSS; upgrade to v4.1.0 or disable dir_browser.

Vulnerability

Overview WsgiDAV is a generic and extendable WebDAV server based on WSGI. Versions prior to 4.1.0 with directory browsing enabled are susceptible to Cross-Site Scripting (XSS) attacks. The vulnerability arises because the application improperly sanitizes user-controlled data when rendering the directory browser interface [1][2].

Exploitation

An attacker can exploit this vulnerability by providing malicious input that gets displayed in the directory browser's user interface, such as manipulated file or folder names, realm, or username strings. However, simply uploading a file with a malicious name is not sufficient to trigger XSS; the attack requires that untrusted data is reflected in the browser view [4].

Impact

Successful exploitation allows an attacker to inject arbitrary JavaScript code into the context of the victim's browser, leading to possible data theft, session hijacking, or other client-side attacks.

Mitigation

The issue has been patched in version 4.1.0. Users are advised to upgrade. As a workaround, set dir_browser.enable = False in the configuration [1][4].

References

AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
wsgidavPyPI	>= 3.0.0a1, < 4.1.0	4.1.0

Affected products

ghsa-coords
pkg:pypi/wsgidav
Range: >= 3.0.0a1, < 4.1.0
mar10/wsgidavv5
Range: >= 3.0.0a1, < 4.1.0

Patches

e9606ab0f42f

Merge pull request from GHSA-xx6g-jj35-pxjv

https://github.com/mar10/wsgidavJon BrunnNov 11, 2022via ghsa

commit

2 files changed · +4 −4

wsgidav/dir_browser/_dir_browser.py+2 −2 modified

@@ -10,7 +10,7 @@
 from fnmatch import fnmatch
 from urllib.parse import unquote
 
-from jinja2 import Environment, FileSystemLoader
+from jinja2 import Environment, FileSystemLoader, select_autoescape
 
 from wsgidav import __version__, util
 from wsgidav.dav_error import HTTP_MEDIATYPE_NOT_SUPPORTED, HTTP_OK, DAVError
@@ -73,7 +73,7 @@ def __init__(self, wsgidav_app, next_app, config):
 
         # Prepare a Jinja2 template
         templateLoader = FileSystemLoader(searchpath=self.htdocs_path)
-        templateEnv = Environment(loader=templateLoader)
+        templateEnv = Environment(loader=templateLoader, autoescape=select_autoescape())
         self.template = templateEnv.get_template("template.html")
 
     def is_disabled(self):

wsgidav/dir_browser/htdocs/template.html+2 −2 modified

@@ -81,7 +81,7 @@ <h1>
             </a>
           {% endif -%}
           {%- if row.add_link_html %}
-              {{row.add_link_html}}
+              {{row.add_link_html | safe}}
           {% endif -%}
         </td>
         <td>{{ row.display_type }}</td>
@@ -95,7 +95,7 @@ <h1>
   <hr>
 
   {% if trailer %}
-  <p class="trailer">{{ trailer }}</p>
+  <p class="trailer">{{ trailer | safe }}</p>
   {% endif %}
 
   <object id="winFirefoxPlugin" type="application/x-sharepoint"

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

News mentions

No linked articles in our index yet.

cvss	0.455
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000