From f58a6e5d3a3e76dd06de0472cc48ff67280ef33e Mon Sep 17 00:00:00 2001
From: Owen Mansel-Chan <owen-mc@github.com>
Date: Fri, 13 Mar 2026 10:01:02 +0000
Subject: [PATCH] Change @security-severity for XSS queries from 6.1 to 7.8

---
 cpp/ql/src/Security/CWE/CWE-079/CgiXss.ql                       | 2 +-
 csharp/ql/src/Security Features/CWE-079/XSS.ql                  | 2 +-
 go/ql/src/Security/CWE-079/HtmlTemplateEscapingBypassXss.ql     | 2 +-
 go/ql/src/Security/CWE-079/ReflectedXss.ql                      | 2 +-
 go/ql/src/Security/CWE-079/StoredXss.ql                         | 2 +-
 .../CWE/CWE-079/AndroidWebViewAddJavascriptInterface.ql         | 2 +-
 .../CWE/CWE-079/AndroidWebViewSettingsEnabledJavaScript.ql      | 2 +-
 java/ql/src/Security/CWE/CWE-079/XSS.ql                         | 2 +-
 python/ql/src/Security/CWE-079/Jinja2WithoutEscaping.ql         | 2 +-
 python/ql/src/Security/CWE-079/ReflectedXss.ql                  | 2 +-
 ruby/ql/src/queries/security/cwe-079/ReflectedXSS.ql            | 2 +-
 ruby/ql/src/queries/security/cwe-079/StoredXSS.ql               | 2 +-
 ruby/ql/src/queries/security/cwe-079/UnsafeHtmlConstruction.ql  | 2 +-
 rust/ql/src/queries/security/CWE-079/XSS.ql                     | 2 +-
 swift/ql/src/queries/Security/CWE-079/UnsafeWebViewFetch.ql     | 2 +-
 15 files changed, 15 insertions(+), 15 deletions(-)

diff --git a/cpp/ql/src/Security/CWE/CWE-079/CgiXss.ql b/cpp/ql/src/Security/CWE/CWE-079/CgiXss.ql
index 994aba733d2..0e4a8f9741c 100644
--- a/cpp/ql/src/Security/CWE/CWE-079/CgiXss.ql
+++ b/cpp/ql/src/Security/CWE/CWE-079/CgiXss.ql
@@ -4,7 +4,7 @@
  *              allows for a cross-site scripting vulnerability.
  * @kind path-problem
  * @problem.severity error
- * @security-severity 6.1
+ * @security-severity 7.8
  * @precision high
  * @id cpp/cgi-xss
  * @tags security
diff --git a/csharp/ql/src/Security Features/CWE-079/XSS.ql b/csharp/ql/src/Security Features/CWE-079/XSS.ql
index 8735d89ef50..b819ed06bf8 100644
--- a/csharp/ql/src/Security Features/CWE-079/XSS.ql	
+++ b/csharp/ql/src/Security Features/CWE-079/XSS.ql	
@@ -4,7 +4,7 @@
  *              allows for a cross-site scripting vulnerability.
  * @kind path-problem
  * @problem.severity error
- * @security-severity 6.1
+ * @security-severity 7.8
  * @precision high
  * @id cs/web/xss
  * @tags security
diff --git a/go/ql/src/Security/CWE-079/HtmlTemplateEscapingBypassXss.ql b/go/ql/src/Security/CWE-079/HtmlTemplateEscapingBypassXss.ql
index 15373ee85ed..f556630965c 100644
--- a/go/ql/src/Security/CWE-079/HtmlTemplateEscapingBypassXss.ql
+++ b/go/ql/src/Security/CWE-079/HtmlTemplateEscapingBypassXss.ql
@@ -5,7 +5,7 @@
  *              scripting vulnerability.
  * @kind path-problem
  * @problem.severity error
- * @security-severity 6.1
+ * @security-severity 7.8
  * @precision high
  * @id go/html-template-escaping-bypass-xss
  * @tags security
diff --git a/go/ql/src/Security/CWE-079/ReflectedXss.ql b/go/ql/src/Security/CWE-079/ReflectedXss.ql
index 0fca12ac285..ebabb69f0a4 100644
--- a/go/ql/src/Security/CWE-079/ReflectedXss.ql
+++ b/go/ql/src/Security/CWE-079/ReflectedXss.ql
@@ -4,7 +4,7 @@
  *              a cross-site scripting vulnerability.
  * @kind path-problem
  * @problem.severity error
- * @security-severity 6.1
+ * @security-severity 7.8
  * @precision high
  * @id go/reflected-xss
  * @tags security
diff --git a/go/ql/src/Security/CWE-079/StoredXss.ql b/go/ql/src/Security/CWE-079/StoredXss.ql
index 83628b31042..dcae0a5f9c1 100644
--- a/go/ql/src/Security/CWE-079/StoredXss.ql
+++ b/go/ql/src/Security/CWE-079/StoredXss.ql
@@ -4,7 +4,7 @@
  *              a stored cross-site scripting vulnerability.
  * @kind path-problem
  * @problem.severity error
- * @security-severity 6.1
+ * @security-severity 7.8
  * @precision low
  * @id go/stored-xss
  * @tags security
diff --git a/java/ql/src/Security/CWE/CWE-079/AndroidWebViewAddJavascriptInterface.ql b/java/ql/src/Security/CWE/CWE-079/AndroidWebViewAddJavascriptInterface.ql
index 4368b537ab7..3b4abcaa7f6 100644
--- a/java/ql/src/Security/CWE/CWE-079/AndroidWebViewAddJavascriptInterface.ql
+++ b/java/ql/src/Security/CWE/CWE-079/AndroidWebViewAddJavascriptInterface.ql
@@ -4,7 +4,7 @@
  * @description Exposing a Java object in a WebView with a JavaScript interface can lead to malicious JavaScript controlling the application.
  * @kind problem
  * @problem.severity warning
- * @security-severity 6.1
+ * @security-severity 7.8
  * @precision medium
  * @tags security
  *       external/cwe/cwe-079
diff --git a/java/ql/src/Security/CWE/CWE-079/AndroidWebViewSettingsEnabledJavaScript.ql b/java/ql/src/Security/CWE/CWE-079/AndroidWebViewSettingsEnabledJavaScript.ql
index 561b2af8de0..3ea2b207c04 100644
--- a/java/ql/src/Security/CWE/CWE-079/AndroidWebViewSettingsEnabledJavaScript.ql
+++ b/java/ql/src/Security/CWE/CWE-079/AndroidWebViewSettingsEnabledJavaScript.ql
@@ -4,7 +4,7 @@
  * @kind problem
  * @id java/android/websettings-javascript-enabled
  * @problem.severity warning
- * @security-severity 6.1
+ * @security-severity 7.8
  * @precision medium
  * @tags security
  *       external/cwe/cwe-079
diff --git a/java/ql/src/Security/CWE/CWE-079/XSS.ql b/java/ql/src/Security/CWE/CWE-079/XSS.ql
index 9ae92a7e362..f1261ebff74 100644
--- a/java/ql/src/Security/CWE/CWE-079/XSS.ql
+++ b/java/ql/src/Security/CWE/CWE-079/XSS.ql
@@ -4,7 +4,7 @@
  *              allows for a cross-site scripting vulnerability.
  * @kind path-problem
  * @problem.severity error
- * @security-severity 6.1
+ * @security-severity 7.8
  * @precision high
  * @id java/xss
  * @tags security
diff --git a/python/ql/src/Security/CWE-079/Jinja2WithoutEscaping.ql b/python/ql/src/Security/CWE-079/Jinja2WithoutEscaping.ql
index 97bbb72edec..fd03ba433a1 100644
--- a/python/ql/src/Security/CWE-079/Jinja2WithoutEscaping.ql
+++ b/python/ql/src/Security/CWE-079/Jinja2WithoutEscaping.ql
@@ -4,7 +4,7 @@
  *              cause a cross-site scripting vulnerability.
  * @kind problem
  * @problem.severity error
- * @security-severity 6.1
+ * @security-severity 7.8
  * @precision medium
  * @id py/jinja2/autoescape-false
  * @tags security
diff --git a/python/ql/src/Security/CWE-079/ReflectedXss.ql b/python/ql/src/Security/CWE-079/ReflectedXss.ql
index 11ebad00e37..286dbece126 100644
--- a/python/ql/src/Security/CWE-079/ReflectedXss.ql
+++ b/python/ql/src/Security/CWE-079/ReflectedXss.ql
@@ -4,7 +4,7 @@
  *              allows for a cross-site scripting vulnerability.
  * @kind path-problem
  * @problem.severity error
- * @security-severity 6.1
+ * @security-severity 7.8
  * @sub-severity high
  * @precision high
  * @id py/reflective-xss
diff --git a/ruby/ql/src/queries/security/cwe-079/ReflectedXSS.ql b/ruby/ql/src/queries/security/cwe-079/ReflectedXSS.ql
index 8cc60618cc5..04eed164046 100644
--- a/ruby/ql/src/queries/security/cwe-079/ReflectedXSS.ql
+++ b/ruby/ql/src/queries/security/cwe-079/ReflectedXSS.ql
@@ -4,7 +4,7 @@
  *              allows for a cross-site scripting vulnerability.
  * @kind path-problem
  * @problem.severity error
- * @security-severity 6.1
+ * @security-severity 7.8
  * @sub-severity high
  * @precision high
  * @id rb/reflected-xss
diff --git a/ruby/ql/src/queries/security/cwe-079/StoredXSS.ql b/ruby/ql/src/queries/security/cwe-079/StoredXSS.ql
index a621aee00b0..a2a1752f7f4 100644
--- a/ruby/ql/src/queries/security/cwe-079/StoredXSS.ql
+++ b/ruby/ql/src/queries/security/cwe-079/StoredXSS.ql
@@ -4,7 +4,7 @@
  *              a stored cross-site scripting vulnerability.
  * @kind path-problem
  * @problem.severity error
- * @security-severity 6.1
+ * @security-severity 7.8
  * @precision high
  * @id rb/stored-xss
  * @tags security
diff --git a/ruby/ql/src/queries/security/cwe-079/UnsafeHtmlConstruction.ql b/ruby/ql/src/queries/security/cwe-079/UnsafeHtmlConstruction.ql
index c1527783fc3..3fa40cd6f91 100644
--- a/ruby/ql/src/queries/security/cwe-079/UnsafeHtmlConstruction.ql
+++ b/ruby/ql/src/queries/security/cwe-079/UnsafeHtmlConstruction.ql
@@ -4,7 +4,7 @@
  *              user to perform a cross-site scripting attack.
  * @kind path-problem
  * @problem.severity error
- * @security-severity 6.1
+ * @security-severity 7.8
  * @precision high
  * @id rb/html-constructed-from-input
  * @tags security
diff --git a/rust/ql/src/queries/security/CWE-079/XSS.ql b/rust/ql/src/queries/security/CWE-079/XSS.ql
index 3c43f5043c7..e7609196b3e 100644
--- a/rust/ql/src/queries/security/CWE-079/XSS.ql
+++ b/rust/ql/src/queries/security/CWE-079/XSS.ql
@@ -4,7 +4,7 @@
  *              allows for a cross-site scripting vulnerability.
  * @kind path-problem
  * @problem.severity error
- * @security-severity 6.1
+ * @security-severity 7.8
  * @precision high
  * @id rust/xss
  * @tags security
diff --git a/swift/ql/src/queries/Security/CWE-079/UnsafeWebViewFetch.ql b/swift/ql/src/queries/Security/CWE-079/UnsafeWebViewFetch.ql
index 7243d2216a5..3a2de3fa80a 100644
--- a/swift/ql/src/queries/Security/CWE-079/UnsafeWebViewFetch.ql
+++ b/swift/ql/src/queries/Security/CWE-079/UnsafeWebViewFetch.ql
@@ -3,7 +3,7 @@
  * @description Fetching data in a WebView without restricting the base URL may allow an attacker to access sensitive local data, or enable cross-site scripting attack.
  * @kind path-problem
  * @problem.severity warning
- * @security-severity 6.1
+ * @security-severity 7.8
  * @precision high
  * @id swift/unsafe-webview-fetch
  * @tags security