CVE-2026-24564 in Textmetrics Plugin
Summary
by MITRE • 01/23/2026
Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in Israpil Textmetrics webtexttool allows Code Injection.This issue affects Textmetrics: from n/a through <= 3.6.3.
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 01/23/2026
This vulnerability represents a classic cross-site scripting flaw that exploits improper input validation in web applications. The issue resides in the Israpil Textmetrics webtexttool software where user-supplied input containing HTML tags is not adequately sanitized before being rendered in web pages. This basic form of XSS allows attackers to inject malicious scripts that execute in the context of other users' browsers, creating a significant security risk for any organization relying on this text processing tool.
The technical implementation of this vulnerability stems from insufficient output encoding and input validation mechanisms within the webtexttool application. When users submit text content through the interface, the system fails to properly neutralize or escape HTML special characters that could be interpreted as script tags or other malicious constructs. This weakness creates an environment where attackers can embed malicious JavaScript code within text inputs that will subsequently be executed when other users view the content. The vulnerability affects versions of Textmetrics up to and including 3.6.3, indicating that this flaw has persisted across multiple releases without adequate remediation.
The operational impact of this vulnerability extends beyond simple script injection, as it provides attackers with the ability to compromise user sessions, steal sensitive information, and potentially escalate privileges within the application. Attackers could craft malicious inputs that redirect users to phishing sites, steal cookies, or manipulate the application's functionality to gain unauthorized access to data. The basic nature of this XSS vulnerability means that it can be exploited through simple user interaction, making it particularly dangerous in environments where multiple users interact with the same text processing tool. This weakness directly aligns with CWE-79 which classifies improper neutralization of input during web page generation as a fundamental security flaw in web applications.
Organizations utilizing this software should immediately implement mitigations including input validation, output encoding, and content security policies to prevent exploitation of this vulnerability. The recommended approach involves implementing strict sanitization of all user inputs before processing, utilizing proper HTML escaping mechanisms, and deploying security headers to prevent script execution. Additionally, organizations should consider implementing web application firewalls and monitoring for suspicious input patterns. This vulnerability demonstrates the critical importance of maintaining up-to-date security practices in web applications and highlights the need for comprehensive security testing to identify and remediate such flaws before they can be exploited by malicious actors. The ATT&CK framework categorizes this as a code injection technique under the application layer, emphasizing the need for layered security controls to protect against such persistent threats.