GSSA-2026-04-TPJNF12026-04-256.1 Medium
Stored XSS via manual HTML escaping in events log-outcome view in cobc-events
The `log-outcome.ejs` template used the unescaped `<%-` output tag with hand-rolled HTML escaping that did not cover all XSS vectors, allowing stored XSS via `event.notes`.
The log-outcome.ejs template used the unescaped <%- output tag with hand-rolled HTML escaping that did not cover all XSS vectors, allowing stored XSS via event.notes.