[GH-ISSUE #1076] Whoogle XSS #654

New issue

Closed

opened 2026-02-25 20:36:14 +03:00 by kerem · 0 comments

kerem commented

2026-02-25 20:36:14 +03:00

Owner

Originally created by @0xspade on GitHub (Oct 6, 2023).
Original GitHub issue: https://github.com/benbusby/whoogle-search/issues/1076

Describe the bug
Whoogle current version is vulnerable to XSS, if the result has an xss payload <iframe srcdoc="<script>alert('XSS - 13')</script>"></iframe >, it will trigger the xss.

To Reproduce
Steps to reproduce the behavior:

Search the keyword iframe srcdoc xss
Wait for the prompt

Deployment Method

Heroku (one-click deploy)
Docker
run executable
pip/pipx
Other: [describe setup]

Version of Whoogle Search

Latest build from [Docker]
Version [version number]
Not sure

Originally created by @0xspade on GitHub (Oct 6, 2023). Original GitHub issue: https://github.com/benbusby/whoogle-search/issues/1076 **Describe the bug** Whoogle current version is vulnerable to XSS, if the result has an xss payload `<iframe srcdoc="<script>alert('XSS - 13')</script>"></iframe >`, it will trigger the xss. **To Reproduce** Steps to reproduce the behavior: 1. Search the keyword `iframe srcdoc xss` 2. Wait for the prompt ![whoogle xss](https://github.com/benbusby/whoogle-search/assets/18681023/7d885ae3-9ea9-4728-9b48-4f5c0374e611) **Deployment Method** - [ ] Heroku (one-click deploy) - [X] Docker - [ ] `run` executable - [ ] pip/pipx - [ ] Other: [describe setup] **Version of Whoogle Search** - [X] Latest build from [Docker] - [ ] Version [version number] - [ ] Not sure