CVE-2026-55847: Allure Report: Stored XSS via unescaped ANSI helper in status message/trace rendering

June 19, 2026

The ansi.js Handlebars helper in allure-generator passes user-controlled statusMessage and statusTrace values from test result files through the ansi-to-html library and wraps the output in Handlebars SafeString without HTML escaping. Since ansi-to-html does not escape HTML entities by default, an attacker who can influence test result content (e.g., via crafted JUnit XML failure messages) can inject arbitrary JavaScript that executes when anyone views the generated Allure report.

References

github.com/advisories/GHSA-gx93-m64w-5m6h
github.com/allure-framework/allure2/security/advisories/GHSA-gx93-m64w-5m6h
nvd.nist.gov/vuln/detail/CVE-2026-55847

Code Behaviors & Features

Detect and mitigate CVE-2026-55847 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →