GrepRules
Sign inPublish rule
Explore/cve-2025-70849-generic-stored-xss-missing-content-type

CVE-2025-70849: Generic Stored Xss Missing Content Type

Serving file content directly to an HTTP response without explicitly setting a `Content-Type` or `Content-Security-Policy` header can lead to Stored Cross-Site Scripting (XSS). Unauthenticated users who upload malicious HTML or JavaScript content may achieve XSS execution when browsers perform MIME-sniffing and render it as HTML. Explicitly configure headers

Provally CuratedPublic repositoryMediumMedium confidenceVerifiedApache-2.0Goβ
greprules fetch cve-2025-70849-generic-stored-xss-missing-content-type --engine opengrep

Description

Serving file content directly to an HTTP response without explicitly setting a `Content-Type` or `Content-Security-Policy` header can lead to Stored Cross-Site Scripting (XSS). Unauthenticated users who upload malicious HTML or JavaScript content may achieve XSS execution when browsers perform MIME-sniffing and render it as HTML. Explicitly configure headers

License
Apache-2.0
Source context
Public repository
Source
Provally CVE rule catalog
Validation status
Verified
Quality signals
145 downloads0 direct145 via packs
· 0 stars · Quality score 77How quality works
Included packs
2 packs