CISA\u2019s secure-software buying tool had a simple XSS vulnerability of its own | CyberScoop<\/title> <meta name=\"description\" content=\"A Cybersecurity and Infrastructure Security Agency tool dedicated to helping government agencies buy secure software turned out to have a cybersecurity vulnerability of its own.\"> <link rel=\"canonical\" href=\"https:\/\/cyberscoop.com\/cisa-secure-software-buying-tool-had-a-simple-xss-vulnerability-of-its-own\/\"> <meta property=\"og:locale\" content=\"en_US\"> <meta property=\"og:type\" content=\"article\"> <meta property=\"og:title\" content=\"CISA\u2019s secure-software buying tool had a simple XSS vulnerability of its own\"> <meta property=\"og:description\" content=\"A Cybersecurity and Infrastructure Security Agency tool dedicated to helping government agencies buy secure software turned out to have a cybersecurity vulnerability of its own.\"> <meta property=\"og:url\" content=\"https:\/\/cyberscoop.com\/cisa-secure-software-buying-tool-had-a-simple-xss-vulnerability-of-its-own\/\"> <meta property=\"og:site_name\" content=\"CyberScoop\"> <meta property=\"article:publisher\" content=\"https:\/\/www.facebook.com\/cyberscoop\/\"> <meta property=\"article:published_time\" content=\"2026-01-15T22:47:42+00:00\"> <meta property=\"article:modified_time\" content=\"2026-01-15T22:47:45+00:00\"> <meta property=\"og:image\" content=\"https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2026\/01\/cisas-secure-software-buying-tool-had-a-simple-xss-vulnerability-of-its-own-1.png\"> <meta property=\"og:image:width\" content=\"1920\"> <meta property=\"og:image:height\" content=\"1080\"> <meta property=\"og:image:type\" content=\"image\/png\"> <meta name=\"author\" content=\"Tim Starks\"> <meta name=\"twitter:card\" content=\"summary_large_image\"> <meta name=\"twitter:creator\" content=\"@timstarks\"> <meta name=\"twitter:site\" content=\"@CyberScoopNews\">  <link rel=\"dns-prefetch\" href=\"\/\/securepubads.g.doubleclick.net\">\n<link rel=\"dns-prefetch\" href=\"\/\/use.typekit.net\">\n<link rel=\"alternate\" type=\"application\/rss+xml\" title=\"CyberScoop \u00bb Feed\" href=\"https:\/\/cyberscoop.com\/feed\/\">\n<link rel=\"alternate\" type=\"application\/rss+xml\" title=\"CyberScoop \u00bb Comments Feed\" href=\"https:\/\/cyberscoop.com\/comments\/feed\/\"> <link rel=\"stylesheet\" id=\"all-css-2\" href=\"https:\/\/cyberscoop.com\/wp-includes\/css\/dist\/block-library\/style.min.css?m=1765909325g\" type=\"text\/css\" media=\"all\"> <link rel=\"stylesheet\" id=\"all-css-6\" href=\"https:\/\/cyberscoop.com\/wp-content\/mu-plugins\/search\/elasticpress\/dist\/css\/related-posts-block-styles.min.css?m=1768337335g\" type=\"text\/css\" media=\"all\"> <link rel=\"stylesheet\" id=\"all-css-8\" href=\"https:\/\/cyberscoop.com\/wp-content\/themes\/scoopnewsgroup\/dist\/css\/frontend.css?m=1767808656g\" type=\"text\/css\" media=\"all\">\n<link rel=\"stylesheet\" id=\"typekit-css\" href=\"https:\/\/use.typekit.net\/itk2qbh.css?ver=13897d660a0ac2c9c7d1\" media=\"all\"> <link rel=\"https:\/\/api.w.org\/\" href=\"https:\/\/cyberscoop.com\/wp-json\/\"><link rel=\"alternate\" title=\"JSON\" type=\"application\/json\" href=\"https:\/\/cyberscoop.com\/wp-json\/wp\/v2\/posts\/87459\"><meta name=\"generator\" content=\"WordPress 6.8.3\">\n<link rel=\"shortlink\" href=\"https:\/\/cyberscoop.com\/?p=87459\">\n<link rel=\"alternate\" title=\"oEmbed (JSON)\" type=\"application\/json+oembed\" href=\"https:\/\/cyberscoop.com\/wp-json\/oembed\/1.0\/embed?url=https%3A%2F%2Fcyberscoop.com%2Fcisa-secure-software-buying-tool-had-a-simple-xss-vulnerability-of-its-own%2F\">\n<link rel=\"alternate\" title=\"oEmbed (XML)\" type=\"text\/xml+oembed\" href=\"https:\/\/cyberscoop.com\/wp-json\/oembed\/1.0\/embed?url=https%3A%2F%2Fcyberscoop.com%2Fcisa-secure-software-buying-tool-had-a-simple-xss-vulnerability-of-its-own%2F&format=xml\">   <link rel=\"icon\" href=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=32\" sizes=\"32x32\">\n<link rel=\"icon\" href=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=192\" sizes=\"192x192\">\n<link rel=\"apple-touch-icon\" href=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=180\">\n<meta name=\"msapplication-TileImage\" content=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=270\"> <\/head><body class=\"wp-singular post-template-default single single-post postid-87459 single-format-standard wp-theme-scoopnewsgroup wp-child-theme-cyberscoop\" id=\"readabilityBody\"> <a href=\"https:\/\/cyberscoop.com\/cisa-secure-software-buying-tool-had-a-simple-xss-vulnerability-of-its-own\/#main\" class=\"skip-to-content-link visually-hidden-focusable\">Skip to main content<\/a> <\/p>\n<div class=\"ad ad--top ad--top-desktop\">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<p> <main id=\"main\" role=\"main\" tabindex=\"-1\"> <\/p>\n<div class=\"ad ad--top ad--top-mobile\">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<section id=\"stickybar\" class=\"stickybar stickybar--newsletter js-stickybar\" readability=\"0.82\"> <button class=\"stickybar__close js-stickybar-close\" aria-controls=\"stickybar\"> <svg class=\"icon icon--close\" width=\"21\" height=\"22\" viewBox=\"0 0 21 22\" fill=\"none\"><path d=\"m.822.518-.805.805L9.695 11 .017 20.678l.805.805 9.678-9.678 9.677 9.678.806-.805L11.305 11l9.678-9.677-.806-.805-9.677 9.677L.822.518Z\" fill=\"currentColor\" \/><\/svg> <span class=\"visually-hidden\">Close<\/span> <\/button> <\/section>\n<article class=\"single-article content\">\n<div class=\"single-article__container js-single-article-content\">\n<header class=\"single-article__header \" readability=\"25.701923076923\">\n<div class=\"single-article__header-content\" readability=\"35.177339901478\">\n<ul class=\"single-article__eyebrow\">\n<li class=\"single-article__category\"> <a class=\"single-article__category-link\" href=\"https:\/\/cyberscoop.com\/cisa-secure-software-buying-tool-had-a-simple-xss-vulnerability-of-its-own\/\"> <span>Government<\/span> <\/a> <\/li>\n<\/ul>\n<p> A researcher who discovered the vulnerability said it was fixed in December, after he first reported it to the agency in September. <\/p>\n<p>  <br \/>\n<audio id=\"audio-player\" src=\"https:\/\/wp-tts-cdn.api.scpnewsgrp.com\/cyberscoop\/87459\/english.openai.mp3\"><\/audio> <\/p>\n<div readability=\"11\">\n<div>\n<p>Listen to this article<\/p>\n<p>  <\/p>\n<p>0:00<\/p>\n<\/p><\/div>\n<p>  <\/p>\n<p> <span id=\"tts-tooltip\">Learn more.<\/span> <span> This feature uses an automated voice, which may result in occasional errors in pronunciation, tone, or sentiment. <\/span> <\/p>\n<\/div>\n<p>  <\/div>\n<div class=\"single-article__cover-wrap\">\n<figure class=\"single-article__cover\"> <img data-recalc-dims=\"1\" fetchpriority=\"high\" width=\"640\" height=\"360\" src=\"https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2026\/01\/cisas-secure-software-buying-tool-had-a-simple-xss-vulnerability-of-its-own.png?resize=640%2C360&ssl=1\" class=\"single-article__cover-image wp-post-image\" alt=\"Computer with alert on it.\" decoding=\"async\" fetchpriority=\"high\" srcset=\"https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2026\/01\/cisas-secure-software-buying-tool-had-a-simple-xss-vulnerability-of-its-own-1.png 1920w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2026\/01\/cisas-secure-software-buying-tool-had-a-simple-xss-vulnerability-of-its-own-1.png?resize=300,168 300w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2026\/01\/cisas-secure-software-buying-tool-had-a-simple-xss-vulnerability-of-its-own-1.png?resize=768,432 768w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2026\/01\/cisas-secure-software-buying-tool-had-a-simple-xss-vulnerability-of-its-own-1.png?resize=1024,576 1024w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2026\/01\/cisas-secure-software-buying-tool-had-a-simple-xss-vulnerability-of-its-own-1.png?resize=1536,864 1536w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2026\/01\/cisas-secure-software-buying-tool-had-a-simple-xss-vulnerability-of-its-own-1.png?resize=600,337 600w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2026\/01\/cisas-secure-software-buying-tool-had-a-simple-xss-vulnerability-of-its-own-1.png?resize=1200,675 1200w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2026\/01\/cisas-secure-software-buying-tool-had-a-simple-xss-vulnerability-of-its-own-1.png?resize=1500,843 1500w\" sizes=\"(max-width: 1200px) 100vw, 1200px\"><figcaption> (Pixabay) <\/figcaption><\/figure>\n<\/p><\/div>\n<\/header>\n<div class=\"single-article__content\">\n<div class=\"single-article__content-inner has-drop-cap\"> <html readability=\"28.919601328904\"><body readability=\"60.12910618793\"><\/p>\n<p>A Cybersecurity and Infrastructure Security Agency tool dedicated to helping government agencies buy secure software turned out to have a cybersecurity vulnerability of its own.<\/p>\n<p>Jeff Williams, the former leader of the Open Worldwide Application Security Project (OWASP), told CyberScoop that he discovered a cross-site scripting vulnerability in CISA\u2019s <a href=\"https:\/\/www.cisa.gov\/software-acquisition-guide\/tool\">\u201cSoftware Acquisition Guide: Supplier Response Web Tool\u201d<\/a> and reported it to CISA in September, before it was eventually fixed in December.<\/p>\n<p>The vulnerability involves attackers injecting JavaScript into a web page, then getting that JavaScript to attack other users of that same page, he said. It also could have been used to deface the website, he said.<\/p>\n<p>Williams, co-founder and chief technology officer of the application security firm Contrast Security, said it should have been easy for someone to spot the vulnerability at CISA, since it was the first attack he tried.<\/p>\n<div class=\"ad ad--inline_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<p>\u201cI thought it was a little hypocritical to be promoting secure software development and not do the most basic test you could possibly do,\u201d he said.<\/p>\n<p>When Williams first reported the flaw through a bug bounty program, they rejected it as not critical enough, but he later got attention to the flaw from CISA\u2019s Vulnerability Information and Coordination Environment program. The government shutdown contributed to the delay in fixing it, but Williams said it should\u2019ve been just five minutes of work.<\/p>\n<p>Williams said that while there are worse bugs than the one he uncovered, \u201cI have customers that would treat this vulnerability as incredibly serious, because they take their reputation to be one of their most important assets.\u201d<\/p>\n<p>CISA\u2019s role as an evangelist for cybersecurity hasn\u2019t made it immune to cyberattacks. Notably, the agency <a href=\"https:\/\/cyberscoop.com\/ivanti-linked-breach-of-cisa-potentially-affected-more-than-100000-individuals\/\">identified a breach<\/a> in 2024 that triggered a notification to Congress.<\/p>\n<p>The chief information officer for CISA, Robert Costello, said the agency took action after receiving notification about a potential vulnerability.<\/p>\n<div class=\"ad ad--inline_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<p>\u201cAs per protocol, we addressed and patched the vulnerability, ensuring there was no significant risk or known exploitation,\u201d he said in a statement to CyberScoop. \u201cAdditionally, our team identified process improvements for future vulnerabilities reported to the agency. As a champion for the CVE [Common Vulnerabilities and Exposures] program, CISA followed the standard coordinated disclosure processes to create a CVE that documents the vulnerability. CISA appreciates the report provided by this security researcher. This is another example of operational collaboration in action.\u201d<\/p>\n<p><\/body> <\/p>\n<footer class=\"single-article__footer\">\n<div class=\"author-card\" readability=\"7.7216117216117\">\n<div class=\"author-card__avatar\">\n<figure class=\"author-card__image-wrap\"> <img data-recalc-dims=\"1\" decoding=\"async\" class=\"author-card__image\" src=\"https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2026\/01\/cisas-secure-software-buying-tool-had-a-simple-xss-vulnerability-of-its-own.jpg?w=640&ssl=1\" alt=\"Tim Starks\"> <\/figure>\n<\/p><\/div>\n<div class=\"author-card__details\" readability=\"10.901098901099\">\n<h4 class=\"author-card__name\">Written by Tim Starks<\/h4>\n<p> Tim Starks is senior reporter at CyberScoop. His previous stops include working at The Washington Post, POLITICO and Congressional Quarterly. An Evansville, Ind. native, he’s covered cybersecurity since 2003. Email Tim here: <a href=\"mailto:tim.starks@cyberscoop.com\">tim.starks@cyberscoop.com<\/a>. <\/div>\n<\/p><\/div>\n<div class=\"single-article__tags-container\">\n<h4 class=\"single-article__tags-title\">In This Story<\/h4>\n<\/p><\/div>\n<\/footer>\n<p> <\/html><\/div>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"single-article__ads js-single-article-sidebar\">\n<div class=\"ad ad--sidebar js-single-article-sidebar-5 ad--rightrail_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<div class=\"ad ad--sidebar js-single-article-sidebar-4 ad--rightrail_2 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<div class=\"ad ad--sidebar js-single-article-sidebar-3 ad--rightrail_3 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div><\/div>\n<\/article>\n<div class=\"popular-stories popular-stories--single-post\">\n<div class=\"popular-stories__container\">\n<h2 class=\"popular-stories__title\"> More Scoops <\/h2>\n<p>  <\/div>\n<p>\n<\/div>\n<p> <\/p>\n<section class=\"latest-podcasts\">\n<h2 class=\"latest-podcasts__title\"> Latest Podcasts\t<\/h2>\n<\/section>\n<div class=\"top-categories\">\n<div class=\"top-categories__container\">\n<h3 class=\"top-categories__category-title\">Government<\/h3>\n<\/p><\/div>\n<div class=\"top-categories__container\">\n<h3 class=\"top-categories__category-title\">Technology<\/h3>\n<\/p><\/div>\n<\/p><\/div>\n<p> <\/main> <\/p>\n<div class=\"ad ad--bottom \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<div id=\"interstitial\" class=\"welcome__container\"> <button id=\"close-modal-1\" class=\"welcome__clickable_area\"><\/button> <\/p>\n<div class=\"welcome__ad_wrapper\">\n<p> <button id=\"close-modal-3\" class=\"welcome__continue-button\">Continue to CyberScoop<\/button> <\/p>\n<\/p><\/div>\n<\/p><\/div>\n<p>   <\/body> <a href=\"https:\/\/cyberscoop.com\/cisa-secure-software-buying-tool-had-a-simple-xss-vulnerability-of-its-own\/\">Source<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>CISA\u2019s secure-software buying tool had a simple XSS vulnerability of<\/p>\n","protected":false},"author":11,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[5809,1765,452,117,5810,256,643,4620],"tags":[5811,1770,454,119,5812,262,645,4621],"class_list":["post-8267","post","type-post","status-publish","format-standard","hentry","category-contrast-security","category-cve","category-cybersecurity-and-infrastructure-security-agency-cisa","category-government","category-owasp","category-research","category-vulnerabilities","category-xss","tag-contrast-security","tag-cve","tag-cybersecurity-and-infrastructure-security-agency-cisa","tag-government","tag-owasp","tag-research","tag-vulnerabilities","tag-xss"],"featured_image_urls":{"full":"","thumbnail":"","medium":"","medium_large":"","large":"","1536x1536":"","2048x2048":"","chromenews-featured":"","chromenews-large":"","chromenews-medium":""},"author_info":{"display_name":"Cyber Scoop","author_link":"https:\/\/ddi.mohflo.net\/index.php\/author\/cyberscoop\/"},"category_info":"<a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/contrast-security\/\" rel=\"category tag\">Contrast Security<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/cve\/\" rel=\"category tag\">CVE<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/cybersecurity-and-infrastructure-security-agency-cisa\/\" rel=\"category tag\">Cybersecurity and Infrastructure Security Agency (CISA)<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/government\/\" rel=\"category tag\">Government<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/owasp\/\" rel=\"category tag\">OWASP<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/research\/\" rel=\"category tag\">Research<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/vulnerabilities\/\" rel=\"category tag\">vulnerabilities<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/xss\/\" rel=\"category tag\">XSS<\/a>","tag_info":"XSS","comment_count":"0","jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts\/8267","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/users\/11"}],"replies":[{"embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/comments?post=8267"}],"version-history":[{"count":0,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts\/8267\/revisions"}],"wp:attachment":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/media?parent=8267"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/categories?post=8267"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/tags?post=8267"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}

{"id":8267,"date":"2026-01-15T16:47:42","date_gmt":"2026-01-15T22:47:42","guid":{"rendered":"https:\/\/cyberscoop.com\/?p=87459"},"modified":"2026-01-15T16:47:42","modified_gmt":"2026-01-15T22:47:42","slug":"cisas-secure-software-buying-tool-had-a-simple-xss-vulnerability-of-its-own","status":"publish","type":"post","link":"https:\/\/ddi.mohflo.net\/index.php\/2026\/01\/15\/cisas-secure-software-buying-tool-had-a-simple-xss-vulnerability-of-its-own\/","title":{"rendered":"CISA\u2019s secure-software buying tool had a simple XSS vulnerability of its own"},"content":{"rendered":"