The display of children of a parent artifact in the artifact link field are not sanitized.
Impact
A malicious user with some control over some artifacts could use this vulnerability to force victims to execute uncontrolled code.
CVSSv3.1 score: 5.4 (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:N/I:L/A:L)
Exploitation
- Have an artifact with a parent in a tracker that does not use the unified artifact link field
- Add a child to the parent artifact
- Change your realname to something like
<img src=a onerror=alert(1)>
- Open the children list on the artifact view
References
CWE 79
OWASP Cross-site Scripting
CVE-2025-53541