CVE-2026-33061
Received Received - Intake
Stored DOM XSS in exactly Game Panel via Unsafe JSON Encoding

Publication date: 2026-03-20

Last updated on: 2026-04-14

Assigner: GitHub, Inc.

Description
Jexactyl is a customisable game management panel and billing system. Commits after 025e8dbb0daaa04054276bda814d922cf4af58da and before e28edb204e80efab628d1241198ea4f079779cfd inject server-side objects into client-side JavaScript through resources/views/templates/wrapper.blade.php. Using unescaped {!! json_encode(...) !!} without safe encoding flags allows string values to break out of the JavaScript context and be interpreted as HTML/JS by the browser. If any serialized fields contain attacker-controlled content, such as a username, display name, or site config value, a malicious payload will execute arbitrary script for any user viewing the page (stored DOM XSS). This issue has been patched by commit e28edb204e80efab628d1241198ea4f079779cfd.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-20
Last Modified
2026-04-14
Generated
2026-06-16
AI Q&A
2026-03-20
EPSS Evaluated
2026-06-14
NVD
CVE-2026-33061
EUVD
EUVD-2026-13622
Affected Vendors & Products
Showing 10 associated CPEs
Vendor Product Version / Range
jexactyl jexactyl to 3.8.0 (inc)
jexactyl jexactyl 4.0.0
jexactyl jexactyl 4.0.0
jexactyl jexactyl 4.0.0
jexactyl jexactyl 4.0.0
jexactyl jexactyl 4.0.0
jexactyl jexactyl 4.0.0
jexactyl jexactyl 4.0.0
jexactyl jexactyl 4.0.0
jexactyl jexactyl 4.0.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-33061 is a Stored DOM Cross-Site Scripting (XSS) vulnerability in the Jexactyl application. It occurs because server-side objects are injected into client-side JavaScript using unescaped JSON encoding in a Blade template file (wrapper.blade.php). Specifically, the application uses the unescaped Blade directive `{!! json_encode(...) !!}` without safe encoding flags, allowing attacker-controlled string values (such as usernames or site configuration fields) to break out of the JavaScript context and be interpreted as HTML or JavaScript by the browser.

If an attacker can control serialized fields, they can inject malicious scripts that execute in the browser of any user viewing the affected page. This can lead to arbitrary script execution, compromising user accounts and sessions.

Impact Analysis

[{'type': 'paragraph', 'content': 'This vulnerability allows an attacker to execute arbitrary scripts in the context of users viewing the affected page. Potential impacts include:'}, {'type': 'list_item', 'content': 'Account compromise through theft of authentication tokens or session cookies.'}, {'type': 'list_item', 'content': 'Session theft enabling attackers to impersonate legitimate users.'}, {'type': 'list_item', 'content': "Cross-Site Request Forgery (CSRF) attacks leveraging the victim's authenticated session."}, {'type': 'list_item', 'content': 'Execution of malicious JavaScript that can manipulate page content or steal sensitive information.'}] [1]

Compliance Impact

I don't know

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability can be detected by checking if the application embeds server-side objects into client-side JavaScript using unescaped JSON encoding in the Blade template file `resources/views/templates/wrapper.blade.php`.'}, {'type': 'paragraph', 'content': 'A practical detection method involves verifying if user-controllable fields (such as username, display name, or site configuration values) are reflected in the client-side JavaScript without proper escaping, which could allow script injection.'}, {'type': 'paragraph', 'content': 'One way to test this is to insert a benign script payload into a user-controllable field (for example, the `state` field in the users database) and then load the affected page to see if the script executes.'}, {'type': 'paragraph', 'content': 'Commands to assist detection might include:'}, {'type': 'list_item', 'content': "Query the database to find user fields that may contain suspicious or unescaped script tags, e.g., using SQL: `SELECT id, username, state FROM users WHERE state LIKE '%<script>%' OR username LIKE '%<script>%'`."}, {'type': 'list_item', 'content': 'Use web application security scanners or browser developer tools to inspect the page source and JavaScript context for unescaped JSON data containing HTML or script tags.'}, {'type': 'list_item', 'content': 'Manually review the Blade template `resources/views/templates/wrapper.blade.php` for usage of `{!! json_encode(...) !!}` without safe encoding flags.'}] [1]

Mitigation Strategies

[{'type': 'paragraph', 'content': 'Immediate mitigation steps include:'}, {'type': 'list_item', 'content': 'Update the application to include safe JSON encoding flags (`JSON_HEX_TAG | JSON_HEX_AMP | JSON_HEX_APOS | JSON_HEX_QUOT`) when embedding JSON data in Blade templates, as done in the patched commit.'}, {'type': 'list_item', 'content': 'Whitelist and sanitize user-controllable fields that are serialized and sent to the client to prevent injection of malicious scripts.'}, {'type': 'list_item', 'content': 'Normalize and validate user input on profile fields at the time of data entry to restrict dangerous content.'}, {'type': 'list_item', 'content': "Apply the database migration that sets inconsistent or null user state values to a safe default (`'active'`) to ensure consistent user state handling."}, {'type': 'list_item', 'content': 'Review and apply the patch from commit `e28edb204e80efab628d1241198ea4f079779cfd` which addresses this vulnerability.'}] [1, 2]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-33061. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart