{"api_version":"1","generated_at":"2026-04-23T00:40:24+00:00","cve":"CVE-2022-28366","urls":{"html":"https://cve.report/CVE-2022-28366","api":"https://cve.report/api/cve/CVE-2022-28366.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2022-28366","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2022-28366"},"summary":{"title":"CVE-2022-28366","description":"Certain Neko-related HTML parsers allow a denial of service via crafted Processing Instruction (PI) input that causes excessive heap memory consumption. In particular, this issue exists in HtmlUnit-Neko through 2.26, and is fixed in 2.27. This issue also exists in CyberNeko HTML through 1.9.22 (also affecting OWASP AntiSamy before 1.6.6), but 1.9.22 is the last version of CyberNeko HTML. NOTE: this may be related to CVE-2022-24839.","state":"PUBLIC","assigner":"cve@mitre.org","published_at":"2022-04-21 23:15:00","updated_at":"2023-12-07 17:56:00"},"problem_types":["NVD-CWE-noinfo"],"metrics":[],"references":[{"url":"https://github.com/nahsra/antisamy/releases/tag/v1.6.6","name":"https://github.com/nahsra/antisamy/releases/tag/v1.6.6","refsource":"MISC","tags":[],"title":"Release Release version 1.6.6 · nahsra/antisamy · GitHub","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://search.maven.org/artifact/net.sourceforge.htmlunit/neko-htmlunit","name":"https://search.maven.org/artifact/net.sourceforge.htmlunit/neko-htmlunit","refsource":"MISC","tags":[],"title":"Maven Central Repository Search","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://sourceforge.net/projects/htmlunit/files/htmlunit/2.27/","name":"https://sourceforge.net/projects/htmlunit/files/htmlunit/2.27/","refsource":"MISC","tags":[],"title":"HtmlUnit -  Browse /htmlunit/2.27 at SourceForge.net","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://www.cve.org/CVERecord?id=CVE-2022-28366","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2022-28366","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[{"cve_year":"2022","cve_id":"28366","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"antisamy_project","cpe5":"antisamy","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2022","cve_id":"28366","vulnerable":"1","versionEndIncluding":"1.9.22","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"cyberneko_html_project","cpe5":"cyberneko_html","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2022","cve_id":"28366","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"htmlunit","cpe5":"htmlunit","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2022","cve_id":"28366","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"htmlunit_project","cpe5":"htmlunit","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"}],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[{"cve":"CVE-2022-28366","qid":"379158","title":"Atlassian Jira Service Management Data Center and Server Third-Party Dependency Vulnerability (JSDSERVER-14921)"},{"cve":"CVE-2022-28366","qid":"730976","title":"Atlassian Confluence Data Center and Server Denial of Service (DoS) Vulnerability (CONFSERVER-93169)"},{"cve":"CVE-2022-28366","qid":"731318","title":"Atlassian Jira Software Data Center and Server Denial of Service (DoS) Vulnerability (JSWSERVER-25843)"}]},"source_records":{"cve_program":{"CVE_data_meta":{"ASSIGNER":"cve@mitre.org","ID":"CVE-2022-28366","STATE":"PUBLIC"},"affects":{"vendor":{"vendor_data":[{"product":{"product_data":[{"product_name":"n/a","version":{"version_data":[{"version_value":"n/a"}]}}]},"vendor_name":"n/a"}]}},"data_format":"MITRE","data_type":"CVE","data_version":"4.0","description":{"description_data":[{"lang":"eng","value":"Certain Neko-related HTML parsers allow a denial of service via crafted Processing Instruction (PI) input that causes excessive heap memory consumption. In particular, this issue exists in HtmlUnit-Neko through 2.26, and is fixed in 2.27. This issue also exists in CyberNeko HTML through 1.9.22 (also affecting OWASP AntiSamy before 1.6.6), but 1.9.22 is the last version of CyberNeko HTML. NOTE: this may be related to CVE-2022-24839."}]},"problemtype":{"problemtype_data":[{"description":[{"lang":"eng","value":"n/a"}]}]},"references":{"reference_data":[{"url":"https://github.com/nahsra/antisamy/releases/tag/v1.6.6","refsource":"MISC","name":"https://github.com/nahsra/antisamy/releases/tag/v1.6.6"},{"url":"https://search.maven.org/artifact/net.sourceforge.htmlunit/neko-htmlunit","refsource":"MISC","name":"https://search.maven.org/artifact/net.sourceforge.htmlunit/neko-htmlunit"},{"url":"https://sourceforge.net/projects/htmlunit/files/htmlunit/2.27/","refsource":"MISC","name":"https://sourceforge.net/projects/htmlunit/files/htmlunit/2.27/"}]}},"nvd":{"publishedDate":"2022-04-21 23:15:00","lastModifiedDate":"2023-12-07 17:56:00","problem_types":["NVD-CWE-noinfo"],"metrics":{"baseMetricV3":{"cvssV3":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"NONE","availabilityImpact":"HIGH","baseScore":7.5,"baseSeverity":"HIGH"},"exploitabilityScore":3.9,"impactScore":3.6},"baseMetricV2":{"cvssV2":{"version":"2.0","vectorString":"AV:N/AC:L/Au:N/C:N/I:N/A:P","accessVector":"NETWORK","accessComplexity":"LOW","authentication":"NONE","confidentialityImpact":"NONE","integrityImpact":"NONE","availabilityImpact":"PARTIAL","baseScore":5},"severity":"MEDIUM","exploitabilityScore":10,"impactScore":2.9,"acInsufInfo":false,"obtainAllPrivilege":false,"obtainUserPrivilege":false,"obtainOtherPrivilege":false,"userInteractionRequired":false}},"configurations":{"CVE_data_version":"4.0","nodes":[{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:cyberneko_html_project:cyberneko_html:*:*:*:*:*:*:*:*","versionEndIncluding":"1.9.22","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:htmlunit:htmlunit:*:*:*:*:*:*:*:*","versionEndExcluding":"2.27","cpe_name":[]}]},{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:antisamy_project:antisamy:*:*:*:*:*:*:*:*","versionEndExcluding":"1.6.6","cpe_name":[]}]}]}},"legacy_mitre":{"record":null,"notes":[]}}}