GHSA-6jq6-x4cx-qvcm: Firefly II has Stored XSS in Audit Log Entry view via piggy bank name (ale.twig)

June 12, 2026

The Twig template resources/views/list/ale.twig renders the piggy bank name from AuditLogEntry.after.piggy using the |raw filter, bypassing Twig’s auto-escaping. A piggy bank created with an HTML payload in its name executes arbitrary JavaScript in any browser viewing that transaction’s audit log.

References

github.com/advisories/GHSA-6jq6-x4cx-qvcm
github.com/firefly-iii/firefly-iii/pull/12271
github.com/firefly-iii/firefly-iii/security/advisories/GHSA-6jq6-x4cx-qvcm

Code Behaviors & Features

Detect and mitigate GHSA-6jq6-x4cx-qvcm with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →