Andrey Anshin

**Name of the Vulnerable Software and Affected Versions** Apache Airflow versions 2.6.0 through 2.7.3 **Description** The issue is related to a stored XSS vulnerability that allows a DAG author to add unbounded and not-sanitized JavaScript in the parameter description field of the DAG. This JavaScript can be executed on the client side of any user who looks at the tasks in the browser sandbox, allowing modification of what the user sees in the browser. This opens up possibilities of misleading other users. **Recommendations** For Apache Airflow versions 2.6.0 through 2.7.3, upgrade to version 2.8.0 or newer to mitigate the risk associated with this vulnerability. As a temporary workaround, consider restricting access to the parameter description field of the DAG to minimize the risk of exploitation.