## HIGH-SEVERITY STORED XSS IN ANNOUNCEMENTS API — SCRIPT TAGS STORED & RETURNED VERBATIM
A critical security vulnerability has been identified in the announcements API, where both the title and body fields accept and store raw HTML and JavaScript payloads without sanitization. During E2E testing, payloads like `<script>alert(1)</script>` and `<img onerror=alert(1) src=x>` were stored verbatim. When retrieved via a GET request, the JSON response returns these dangerous payloads un-escaped, creating a direct injection point.

The flaw exists in the `POST /api/v1/announcements` endpoint, accessible to HR admin roles. The system's failure to sanitize or escape input before storage violates fundamental security expectations. This stored cross-site scripting (XSS) vulnerability is not a theoretical risk; it is a live, exploitable flaw that can be triggered whenever the frontend renders the announcement content, particularly if it uses methods like `dangerouslySetInnerHTML` without client-side cleansing.

The impact is severe. If exploited, this vulnerability enables attackers to steal user cookies, hijack active sessions, or deploy phishing campaigns directly within the application's trusted interface. The recommended fix is immediate server-side sanitization using established libraries like `sanitize-html` or `DOMPurify` to strip `<script>` tags and neutralize event handler attributes before any data is persisted.
---
- **Source**: GitHub Issues
- **Sector**: The Lab
- **Tags**: security, vulnerability, XSS, API, testing
- **Credibility**: unverified
- **Published**: 2026-03-30 00:26:55
- **ID**: 40132
- **URL**: https://whisperx.ai/en/intel/40132