Intel

AIKIDO-2026-598684

coverage is vulnerable to Cross-Site Scripting (XSS)

Cross-Site Scripting (XSS) Pre-CVE
Found by Aikido Intel before public disclosure or CVE publication.
Published Today

76

High Risk

This Affects:

pythoncoverage
7.2.3 - 7.15.0
Fixed in 7.15.1
Are you affected? Scan for Free

TL;DR

When coverage generates an HTML report with show_contexts enabled, it embeds context labels into the report without sufficient HTML escaping. A crafted context label can break out of its enclosing inline element and inject arbitrary markup into the generated report. Any user who opens the HTML report in a browser is exposed to the injected content. The fix fully HTML-escapes context labels before embedding them into the report.

Who does this affect?

You are affected if you are using a version that falls within the vulnerable range.

Background info

coverage is vulnerable to Cross-Site Scripting (XSS) in versions 7.2.3 - 7.15.0.

How to fix this

Upgrade the coverage library to the patch version.