Merge branch 'main' of https://github.com/github/codeql into post-release-prep/codeql-cli-2.25.1

go/ql/src/Security/CWE-079/HtmlTemplateEscapingBypassXss.ql

@@ -5,7 +5,7 @@
  *              scripting vulnerability.
  * @kind path-problem
  * @problem.severity error
- * @security-severity 6.1
+ * @security-severity 7.8
  * @precision high
  * @id go/html-template-escaping-bypass-xss
  * @tags security

go/ql/src/Security/CWE-079/ReflectedXss.ql

@@ -4,7 +4,7 @@
  *              a cross-site scripting vulnerability.
  * @kind path-problem
  * @problem.severity error
- * @security-severity 6.1
+ * @security-severity 7.8
  * @precision high
  * @id go/reflected-xss
  * @tags security

go/ql/src/Security/CWE-079/StoredXss.ql

@@ -4,7 +4,7 @@
  *              a stored cross-site scripting vulnerability.
  * @kind path-problem
  * @problem.severity error
- * @security-severity 6.1
+ * @security-severity 7.8
  * @precision low
  * @id go/stored-xss
  * @tags security

go/ql/src/Security/CWE-117/LogInjection.ql

@@ -4,7 +4,7 @@
  *              insertion of forged log entries by a malicious user.
  * @kind path-problem
  * @problem.severity error
- * @security-severity 7.8
+ * @security-severity 6.1
  * @precision medium
  * @id go/log-injection
  * @tags security

go/ql/src/change-notes/2026-03-13-adjust-xss-and-log-injection-severity.md

@@ -0,0 +1,5 @@
+---
+category: queryMetadata
+---
+* The `@security-severity` metadata of `go/log-injection` has been reduced from 7.8 (high) to 6.1 (medium).
+* The `@security-severity` metadata of `go/html-template-escaping-bypass-xss`, `go/reflected-xss` and `go/stored-xss` has been increased from 6.1 (medium) to 7.8 (high).