From f58a6e5d3a3e76dd06de0472cc48ff67280ef33e Mon Sep 17 00:00:00 2001 From: Owen Mansel-Chan Date: Fri, 13 Mar 2026 10:01:02 +0000 Subject: [PATCH 1/3] Change @security-severity for XSS queries from 6.1 to 7.8 --- cpp/ql/src/Security/CWE/CWE-079/CgiXss.ql | 2 +- csharp/ql/src/Security Features/CWE-079/XSS.ql | 2 +- go/ql/src/Security/CWE-079/HtmlTemplateEscapingBypassXss.ql | 2 +- go/ql/src/Security/CWE-079/ReflectedXss.ql | 2 +- go/ql/src/Security/CWE-079/StoredXss.ql | 2 +- .../CWE/CWE-079/AndroidWebViewAddJavascriptInterface.ql | 2 +- .../CWE/CWE-079/AndroidWebViewSettingsEnabledJavaScript.ql | 2 +- java/ql/src/Security/CWE/CWE-079/XSS.ql | 2 +- python/ql/src/Security/CWE-079/Jinja2WithoutEscaping.ql | 2 +- python/ql/src/Security/CWE-079/ReflectedXss.ql | 2 +- ruby/ql/src/queries/security/cwe-079/ReflectedXSS.ql | 2 +- ruby/ql/src/queries/security/cwe-079/StoredXSS.ql | 2 +- ruby/ql/src/queries/security/cwe-079/UnsafeHtmlConstruction.ql | 2 +- rust/ql/src/queries/security/CWE-079/XSS.ql | 2 +- swift/ql/src/queries/Security/CWE-079/UnsafeWebViewFetch.ql | 2 +- 15 files changed, 15 insertions(+), 15 deletions(-) diff --git a/cpp/ql/src/Security/CWE/CWE-079/CgiXss.ql b/cpp/ql/src/Security/CWE/CWE-079/CgiXss.ql index 994aba733d23..0e4a8f9741cd 100644 --- a/cpp/ql/src/Security/CWE/CWE-079/CgiXss.ql +++ b/cpp/ql/src/Security/CWE/CWE-079/CgiXss.ql @@ -4,7 +4,7 @@ * allows for a cross-site scripting vulnerability. * @kind path-problem * @problem.severity error - * @security-severity 6.1 + * @security-severity 7.8 * @precision high * @id cpp/cgi-xss * @tags security diff --git a/csharp/ql/src/Security Features/CWE-079/XSS.ql b/csharp/ql/src/Security Features/CWE-079/XSS.ql index 8735d89ef500..b819ed06bf83 100644 --- a/csharp/ql/src/Security Features/CWE-079/XSS.ql +++ b/csharp/ql/src/Security Features/CWE-079/XSS.ql @@ -4,7 +4,7 @@ * allows for a cross-site scripting vulnerability. * @kind path-problem * @problem.severity error - * @security-severity 6.1 + * @security-severity 7.8 * @precision high * @id cs/web/xss * @tags security diff --git a/go/ql/src/Security/CWE-079/HtmlTemplateEscapingBypassXss.ql b/go/ql/src/Security/CWE-079/HtmlTemplateEscapingBypassXss.ql index 15373ee85edf..f556630965c7 100644 --- a/go/ql/src/Security/CWE-079/HtmlTemplateEscapingBypassXss.ql +++ b/go/ql/src/Security/CWE-079/HtmlTemplateEscapingBypassXss.ql @@ -5,7 +5,7 @@ * scripting vulnerability. * @kind path-problem * @problem.severity error - * @security-severity 6.1 + * @security-severity 7.8 * @precision high * @id go/html-template-escaping-bypass-xss * @tags security diff --git a/go/ql/src/Security/CWE-079/ReflectedXss.ql b/go/ql/src/Security/CWE-079/ReflectedXss.ql index 0fca12ac2858..ebabb69f0a4e 100644 --- a/go/ql/src/Security/CWE-079/ReflectedXss.ql +++ b/go/ql/src/Security/CWE-079/ReflectedXss.ql @@ -4,7 +4,7 @@ * a cross-site scripting vulnerability. * @kind path-problem * @problem.severity error - * @security-severity 6.1 + * @security-severity 7.8 * @precision high * @id go/reflected-xss * @tags security diff --git a/go/ql/src/Security/CWE-079/StoredXss.ql b/go/ql/src/Security/CWE-079/StoredXss.ql index 83628b310421..dcae0a5f9c1d 100644 --- a/go/ql/src/Security/CWE-079/StoredXss.ql +++ b/go/ql/src/Security/CWE-079/StoredXss.ql @@ -4,7 +4,7 @@ * a stored cross-site scripting vulnerability. * @kind path-problem * @problem.severity error - * @security-severity 6.1 + * @security-severity 7.8 * @precision low * @id go/stored-xss * @tags security diff --git a/java/ql/src/Security/CWE/CWE-079/AndroidWebViewAddJavascriptInterface.ql b/java/ql/src/Security/CWE/CWE-079/AndroidWebViewAddJavascriptInterface.ql index 4368b537ab7c..3b4abcaa7f68 100644 --- a/java/ql/src/Security/CWE/CWE-079/AndroidWebViewAddJavascriptInterface.ql +++ b/java/ql/src/Security/CWE/CWE-079/AndroidWebViewAddJavascriptInterface.ql @@ -4,7 +4,7 @@ * @description Exposing a Java object in a WebView with a JavaScript interface can lead to malicious JavaScript controlling the application. * @kind problem * @problem.severity warning - * @security-severity 6.1 + * @security-severity 7.8 * @precision medium * @tags security * external/cwe/cwe-079 diff --git a/java/ql/src/Security/CWE/CWE-079/AndroidWebViewSettingsEnabledJavaScript.ql b/java/ql/src/Security/CWE/CWE-079/AndroidWebViewSettingsEnabledJavaScript.ql index 561b2af8de02..3ea2b207c04b 100644 --- a/java/ql/src/Security/CWE/CWE-079/AndroidWebViewSettingsEnabledJavaScript.ql +++ b/java/ql/src/Security/CWE/CWE-079/AndroidWebViewSettingsEnabledJavaScript.ql @@ -4,7 +4,7 @@ * @kind problem * @id java/android/websettings-javascript-enabled * @problem.severity warning - * @security-severity 6.1 + * @security-severity 7.8 * @precision medium * @tags security * external/cwe/cwe-079 diff --git a/java/ql/src/Security/CWE/CWE-079/XSS.ql b/java/ql/src/Security/CWE/CWE-079/XSS.ql index 9ae92a7e362e..f1261ebff744 100644 --- a/java/ql/src/Security/CWE/CWE-079/XSS.ql +++ b/java/ql/src/Security/CWE/CWE-079/XSS.ql @@ -4,7 +4,7 @@ * allows for a cross-site scripting vulnerability. * @kind path-problem * @problem.severity error - * @security-severity 6.1 + * @security-severity 7.8 * @precision high * @id java/xss * @tags security diff --git a/python/ql/src/Security/CWE-079/Jinja2WithoutEscaping.ql b/python/ql/src/Security/CWE-079/Jinja2WithoutEscaping.ql index 97bbb72edec9..fd03ba433a10 100644 --- a/python/ql/src/Security/CWE-079/Jinja2WithoutEscaping.ql +++ b/python/ql/src/Security/CWE-079/Jinja2WithoutEscaping.ql @@ -4,7 +4,7 @@ * cause a cross-site scripting vulnerability. * @kind problem * @problem.severity error - * @security-severity 6.1 + * @security-severity 7.8 * @precision medium * @id py/jinja2/autoescape-false * @tags security diff --git a/python/ql/src/Security/CWE-079/ReflectedXss.ql b/python/ql/src/Security/CWE-079/ReflectedXss.ql index 11ebad00e375..286dbece126a 100644 --- a/python/ql/src/Security/CWE-079/ReflectedXss.ql +++ b/python/ql/src/Security/CWE-079/ReflectedXss.ql @@ -4,7 +4,7 @@ * allows for a cross-site scripting vulnerability. * @kind path-problem * @problem.severity error - * @security-severity 6.1 + * @security-severity 7.8 * @sub-severity high * @precision high * @id py/reflective-xss diff --git a/ruby/ql/src/queries/security/cwe-079/ReflectedXSS.ql b/ruby/ql/src/queries/security/cwe-079/ReflectedXSS.ql index 8cc60618cc5c..04eed164046d 100644 --- a/ruby/ql/src/queries/security/cwe-079/ReflectedXSS.ql +++ b/ruby/ql/src/queries/security/cwe-079/ReflectedXSS.ql @@ -4,7 +4,7 @@ * allows for a cross-site scripting vulnerability. * @kind path-problem * @problem.severity error - * @security-severity 6.1 + * @security-severity 7.8 * @sub-severity high * @precision high * @id rb/reflected-xss diff --git a/ruby/ql/src/queries/security/cwe-079/StoredXSS.ql b/ruby/ql/src/queries/security/cwe-079/StoredXSS.ql index a621aee00b03..a2a1752f7f4f 100644 --- a/ruby/ql/src/queries/security/cwe-079/StoredXSS.ql +++ b/ruby/ql/src/queries/security/cwe-079/StoredXSS.ql @@ -4,7 +4,7 @@ * a stored cross-site scripting vulnerability. * @kind path-problem * @problem.severity error - * @security-severity 6.1 + * @security-severity 7.8 * @precision high * @id rb/stored-xss * @tags security diff --git a/ruby/ql/src/queries/security/cwe-079/UnsafeHtmlConstruction.ql b/ruby/ql/src/queries/security/cwe-079/UnsafeHtmlConstruction.ql index c1527783fc34..3fa40cd6f919 100644 --- a/ruby/ql/src/queries/security/cwe-079/UnsafeHtmlConstruction.ql +++ b/ruby/ql/src/queries/security/cwe-079/UnsafeHtmlConstruction.ql @@ -4,7 +4,7 @@ * user to perform a cross-site scripting attack. * @kind path-problem * @problem.severity error - * @security-severity 6.1 + * @security-severity 7.8 * @precision high * @id rb/html-constructed-from-input * @tags security diff --git a/rust/ql/src/queries/security/CWE-079/XSS.ql b/rust/ql/src/queries/security/CWE-079/XSS.ql index 3c43f5043c74..e7609196b3e7 100644 --- a/rust/ql/src/queries/security/CWE-079/XSS.ql +++ b/rust/ql/src/queries/security/CWE-079/XSS.ql @@ -4,7 +4,7 @@ * allows for a cross-site scripting vulnerability. * @kind path-problem * @problem.severity error - * @security-severity 6.1 + * @security-severity 7.8 * @precision high * @id rust/xss * @tags security diff --git a/swift/ql/src/queries/Security/CWE-079/UnsafeWebViewFetch.ql b/swift/ql/src/queries/Security/CWE-079/UnsafeWebViewFetch.ql index 7243d2216a59..3a2de3fa80ae 100644 --- a/swift/ql/src/queries/Security/CWE-079/UnsafeWebViewFetch.ql +++ b/swift/ql/src/queries/Security/CWE-079/UnsafeWebViewFetch.ql @@ -3,7 +3,7 @@ * @description Fetching data in a WebView without restricting the base URL may allow an attacker to access sensitive local data, or enable cross-site scripting attack. * @kind path-problem * @problem.severity warning - * @security-severity 6.1 + * @security-severity 7.8 * @precision high * @id swift/unsafe-webview-fetch * @tags security From 056aa342fee99d9367f4041db89beee59417d3b7 Mon Sep 17 00:00:00 2001 From: Owen Mansel-Chan Date: Fri, 13 Mar 2026 10:02:01 +0000 Subject: [PATCH 2/3] Change @security-severity for log injection queries from 7.8 to 6.1 --- csharp/ql/src/Security Features/CWE-117/LogForging.ql | 2 +- go/ql/src/Security/CWE-117/LogInjection.ql | 2 +- java/ql/src/Security/CWE/CWE-117/LogInjection.ql | 2 +- python/ql/src/Security/CWE-117/LogInjection.ql | 2 +- ruby/ql/src/queries/security/cwe-117/LogInjection.ql | 2 +- 5 files changed, 5 insertions(+), 5 deletions(-) diff --git a/csharp/ql/src/Security Features/CWE-117/LogForging.ql b/csharp/ql/src/Security Features/CWE-117/LogForging.ql index 9494af335705..a922f1c02f8b 100644 --- a/csharp/ql/src/Security Features/CWE-117/LogForging.ql +++ b/csharp/ql/src/Security Features/CWE-117/LogForging.ql @@ -4,7 +4,7 @@ * insertion of forged log entries by a malicious user. * @kind path-problem * @problem.severity error - * @security-severity 7.8 + * @security-severity 6.1 * @precision high * @id cs/log-forging * @tags security diff --git a/go/ql/src/Security/CWE-117/LogInjection.ql b/go/ql/src/Security/CWE-117/LogInjection.ql index 5b6586c8e4e2..08febfd842e8 100644 --- a/go/ql/src/Security/CWE-117/LogInjection.ql +++ b/go/ql/src/Security/CWE-117/LogInjection.ql @@ -4,7 +4,7 @@ * insertion of forged log entries by a malicious user. * @kind path-problem * @problem.severity error - * @security-severity 7.8 + * @security-severity 6.1 * @precision medium * @id go/log-injection * @tags security diff --git a/java/ql/src/Security/CWE/CWE-117/LogInjection.ql b/java/ql/src/Security/CWE/CWE-117/LogInjection.ql index dd4ffb6a10a1..f3efb578f76a 100644 --- a/java/ql/src/Security/CWE/CWE-117/LogInjection.ql +++ b/java/ql/src/Security/CWE/CWE-117/LogInjection.ql @@ -4,7 +4,7 @@ * insertion of forged log entries by malicious users. * @kind path-problem * @problem.severity error - * @security-severity 7.8 + * @security-severity 6.1 * @precision medium * @id java/log-injection * @tags security diff --git a/python/ql/src/Security/CWE-117/LogInjection.ql b/python/ql/src/Security/CWE-117/LogInjection.ql index f1b72faaccbd..64b29e142e08 100644 --- a/python/ql/src/Security/CWE-117/LogInjection.ql +++ b/python/ql/src/Security/CWE-117/LogInjection.ql @@ -4,7 +4,7 @@ * insertion of forged log entries by a malicious user. * @kind path-problem * @problem.severity error - * @security-severity 7.8 + * @security-severity 6.1 * @precision medium * @id py/log-injection * @tags security diff --git a/ruby/ql/src/queries/security/cwe-117/LogInjection.ql b/ruby/ql/src/queries/security/cwe-117/LogInjection.ql index 624c2f90e64d..50a4a718e32d 100644 --- a/ruby/ql/src/queries/security/cwe-117/LogInjection.ql +++ b/ruby/ql/src/queries/security/cwe-117/LogInjection.ql @@ -4,7 +4,7 @@ * insertion of forged log entries by a malicious user. * @kind path-problem * @problem.severity error - * @security-severity 7.8 + * @security-severity 6.1 * @precision medium * @id rb/log-injection * @tags security From 52809133f56a3ebf5a1bd1aae259fb024477492a Mon Sep 17 00:00:00 2001 From: Owen Mansel-Chan Date: Fri, 13 Mar 2026 11:10:43 +0000 Subject: [PATCH 3/3] Add change notes --- .../2026-03-13-adjust-xss-and-log-injection-severity.md | 4 ++++ .../2026-03-13-adjust-xss-and-log-injection-severity.md | 5 +++++ .../2026-03-13-adjust-xss-and-log-injection-severity.md | 5 +++++ .../2026-03-13-adjust-xss-and-log-injection-severity.md | 5 +++++ .../2026-03-13-adjust-xss-and-log-injection-severity.md | 5 +++++ .../2026-03-13-adjust-xss-and-log-injection-severity.md | 5 +++++ .../2026-03-13-adjust-xss-and-log-injection-severity.md | 4 ++++ .../2026-03-13-adjust-xss-and-log-injection-severity.md | 4 ++++ 8 files changed, 37 insertions(+) create mode 100644 cpp/ql/src/change-notes/2026-03-13-adjust-xss-and-log-injection-severity.md create mode 100644 csharp/ql/src/change-notes/2026-03-13-adjust-xss-and-log-injection-severity.md create mode 100644 go/ql/src/change-notes/2026-03-13-adjust-xss-and-log-injection-severity.md create mode 100644 java/ql/src/change-notes/2026-03-13-adjust-xss-and-log-injection-severity.md create mode 100644 python/ql/src/change-notes/2026-03-13-adjust-xss-and-log-injection-severity.md create mode 100644 ruby/ql/src/change-notes/2026-03-13-adjust-xss-and-log-injection-severity.md create mode 100644 rust/ql/src/change-notes/2026-03-13-adjust-xss-and-log-injection-severity.md create mode 100644 swift/ql/src/change-notes/2026-03-13-adjust-xss-and-log-injection-severity.md diff --git a/cpp/ql/src/change-notes/2026-03-13-adjust-xss-and-log-injection-severity.md b/cpp/ql/src/change-notes/2026-03-13-adjust-xss-and-log-injection-severity.md new file mode 100644 index 000000000000..0810e9c49bac --- /dev/null +++ b/cpp/ql/src/change-notes/2026-03-13-adjust-xss-and-log-injection-severity.md @@ -0,0 +1,4 @@ +--- +category: queryMetadata +--- +* The `@security-severity` metadata of `cpp/cgi-xss` has been increased from 6.1 (medium) to 7.8 (high). diff --git a/csharp/ql/src/change-notes/2026-03-13-adjust-xss-and-log-injection-severity.md b/csharp/ql/src/change-notes/2026-03-13-adjust-xss-and-log-injection-severity.md new file mode 100644 index 000000000000..c317194bc259 --- /dev/null +++ b/csharp/ql/src/change-notes/2026-03-13-adjust-xss-and-log-injection-severity.md @@ -0,0 +1,5 @@ +--- +category: queryMetadata +--- +* The `@security-severity` metadata of `cs/log-forging` has been reduced from 7.8 (high) to 6.1 (medium). +* The `@security-severity` metadata of `cs/web/xss` has been increased from 6.1 (medium) to 7.8 (high). diff --git a/go/ql/src/change-notes/2026-03-13-adjust-xss-and-log-injection-severity.md b/go/ql/src/change-notes/2026-03-13-adjust-xss-and-log-injection-severity.md new file mode 100644 index 000000000000..45320bcd719c --- /dev/null +++ b/go/ql/src/change-notes/2026-03-13-adjust-xss-and-log-injection-severity.md @@ -0,0 +1,5 @@ +--- +category: queryMetadata +--- +* The `@security-severity` metadata of `go/log-injection` has been reduced from 7.8 (high) to 6.1 (medium). +* The `@security-severity` metadata of `go/html-template-escaping-bypass-xss`, `go/reflected-xss` and `go/stored-xss` has been increased from 6.1 (medium) to 7.8 (high). diff --git a/java/ql/src/change-notes/2026-03-13-adjust-xss-and-log-injection-severity.md b/java/ql/src/change-notes/2026-03-13-adjust-xss-and-log-injection-severity.md new file mode 100644 index 000000000000..fa1288af16eb --- /dev/null +++ b/java/ql/src/change-notes/2026-03-13-adjust-xss-and-log-injection-severity.md @@ -0,0 +1,5 @@ +--- +category: queryMetadata +--- +* The `@security-severity` metadata of `java/log-injection` has been reduced from 7.8 (high) to 6.1 (medium). +* The `@security-severity` metadata of `java/android/webview-addjavascriptinterface`, `java/android/websettings-javascript-enabled` and `java/xss` has been increased from 6.1 (medium) to 7.8 (high). diff --git a/python/ql/src/change-notes/2026-03-13-adjust-xss-and-log-injection-severity.md b/python/ql/src/change-notes/2026-03-13-adjust-xss-and-log-injection-severity.md new file mode 100644 index 000000000000..4278d0171e34 --- /dev/null +++ b/python/ql/src/change-notes/2026-03-13-adjust-xss-and-log-injection-severity.md @@ -0,0 +1,5 @@ +--- +category: queryMetadata +--- +* The `@security-severity` metadata of `py/log-injection` has been reduced from 7.8 (high) to 6.1 (medium). +* The `@security-severity` metadata of `py/jinja2/autoescape-false` and `py/reflective-xss` has been increased from 6.1 (medium) to 7.8 (high). diff --git a/ruby/ql/src/change-notes/2026-03-13-adjust-xss-and-log-injection-severity.md b/ruby/ql/src/change-notes/2026-03-13-adjust-xss-and-log-injection-severity.md new file mode 100644 index 000000000000..459c2ce7f916 --- /dev/null +++ b/ruby/ql/src/change-notes/2026-03-13-adjust-xss-and-log-injection-severity.md @@ -0,0 +1,5 @@ +--- +category: queryMetadata +--- +* The `@security-severity` metadata of `rb/log-injection` has been reduced from 7.8 (high) to 6.1 (medium). +* The `@security-severity` metadata of `rb/reflected-xss`, `rb/stored-xss` and `rb/html-constructed-from-input` has been increased from 6.1 (medium) to 7.8 (high). diff --git a/rust/ql/src/change-notes/2026-03-13-adjust-xss-and-log-injection-severity.md b/rust/ql/src/change-notes/2026-03-13-adjust-xss-and-log-injection-severity.md new file mode 100644 index 000000000000..7c24d4147a5b --- /dev/null +++ b/rust/ql/src/change-notes/2026-03-13-adjust-xss-and-log-injection-severity.md @@ -0,0 +1,4 @@ +--- +category: queryMetadata +--- +* The `@security-severity` metadata of `rust/xss` has been increased from 6.1 (medium) to 7.8 (high). diff --git a/swift/ql/src/change-notes/2026-03-13-adjust-xss-and-log-injection-severity.md b/swift/ql/src/change-notes/2026-03-13-adjust-xss-and-log-injection-severity.md new file mode 100644 index 000000000000..a46302ed1462 --- /dev/null +++ b/swift/ql/src/change-notes/2026-03-13-adjust-xss-and-log-injection-severity.md @@ -0,0 +1,4 @@ +--- +category: queryMetadata +--- +* The `@security-severity` metadata of `swift/unsafe-webview-fetch` has been increased from 6.1 (medium) to 7.8 (high).