Critical Security Misconfiguration Exposes Application to Unrestricted XSS Attacks — No Content Security Policy Found in Production Build

A high-severity security vulnerability has been identified in a production web application, leaving it completely exposed to cross-site scripting (XSS) attacks with no browser-enforced defenses in place. The application lacks any Content Security Policy (CSP) — neither implemented as an HTTP response header nor deployed as a meta tag — effectively eliminating the primary line of defense against script injection attacks.

The vulnerability was discovered on April 25, 2026, during a security audit targeting the application's `index.html` file. Without CSP enforcement, any malicious script injected into the application executes without restriction. Attackers can load arbitrary external scripts from untrusted sources and exfiltrate sensitive data to external domains. The audit notes that this risk is compounded by an already-documented exposed API key (VULN-1), with active evidence of calls to external services including JSONBin.io — demonstrating that outbound data transmission is already occurring outside the intended security perimeter.

The issue has been classified under OWASP category A05:2021 (Security Misconfiguration) and maps to CWE-1021 (Improper Restriction of Rendered UI Layers) and CWE-79 (Cross-Site Scripting). Security researchers warn that the absence of CSP transforms what might be isolated injection flaws into a fully unrestricted attack surface, enabling comprehensive client-side compromise. Organizations utilizing similar application stacks are advised to audit their deployments for equivalent misconfigurations.