CVE-2026-33061
Stored DOM XSS in exactly Game Panel via Unsafe JSON Encoding
Publication date: 2026-03-20
Last updated on: 2026-04-14
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| jexactyl | jexactyl | to 3.8.0 (inc) |
| jexactyl | jexactyl | 4.0.0 |
| jexactyl | jexactyl | 4.0.0 |
| jexactyl | jexactyl | 4.0.0 |
| jexactyl | jexactyl | 4.0.0 |
| jexactyl | jexactyl | 4.0.0 |
| jexactyl | jexactyl | 4.0.0 |
| jexactyl | jexactyl | 4.0.0 |
| jexactyl | jexactyl | 4.0.0 |
| jexactyl | jexactyl | 4.0.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-33061 is a Stored DOM Cross-Site Scripting (XSS) vulnerability in the Jexactyl application. It occurs because server-side objects are injected into client-side JavaScript using unescaped JSON encoding in a Blade template file (wrapper.blade.php). Specifically, the application uses the unescaped Blade directive `{!! json_encode(...) !!}` without safe encoding flags, allowing attacker-controlled string values (such as usernames or site configuration fields) to break out of the JavaScript context and be interpreted as HTML or JavaScript by the browser.
If an attacker can control serialized fields, they can inject malicious scripts that execute in the browser of any user viewing the affected page. This can lead to arbitrary script execution, compromising user accounts and sessions.
How can this vulnerability impact me? :
[{'type': 'paragraph', 'content': 'This vulnerability allows an attacker to execute arbitrary scripts in the context of users viewing the affected page. Potential impacts include:'}, {'type': 'list_item', 'content': 'Account compromise through theft of authentication tokens or session cookies.'}, {'type': 'list_item', 'content': 'Session theft enabling attackers to impersonate legitimate users.'}, {'type': 'list_item', 'content': "Cross-Site Request Forgery (CSRF) attacks leveraging the victim's authenticated session."}, {'type': 'list_item', 'content': 'Execution of malicious JavaScript that can manipulate page content or steal sensitive information.'}] [1]
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'This vulnerability can be detected by checking if the application embeds server-side objects into client-side JavaScript using unescaped JSON encoding in the Blade template file `resources/views/templates/wrapper.blade.php`.'}, {'type': 'paragraph', 'content': 'A practical detection method involves verifying if user-controllable fields (such as username, display name, or site configuration values) are reflected in the client-side JavaScript without proper escaping, which could allow script injection.'}, {'type': 'paragraph', 'content': 'One way to test this is to insert a benign script payload into a user-controllable field (for example, the `state` field in the users database) and then load the affected page to see if the script executes.'}, {'type': 'paragraph', 'content': 'Commands to assist detection might include:'}, {'type': 'list_item', 'content': "Query the database to find user fields that may contain suspicious or unescaped script tags, e.g., using SQL: `SELECT id, username, state FROM users WHERE state LIKE '%<script>%' OR username LIKE '%<script>%'`."}, {'type': 'list_item', 'content': 'Use web application security scanners or browser developer tools to inspect the page source and JavaScript context for unescaped JSON data containing HTML or script tags.'}, {'type': 'list_item', 'content': 'Manually review the Blade template `resources/views/templates/wrapper.blade.php` for usage of `{!! json_encode(...) !!}` without safe encoding flags.'}] [1]
What immediate steps should I take to mitigate this vulnerability?
[{'type': 'paragraph', 'content': 'Immediate mitigation steps include:'}, {'type': 'list_item', 'content': 'Update the application to include safe JSON encoding flags (`JSON_HEX_TAG | JSON_HEX_AMP | JSON_HEX_APOS | JSON_HEX_QUOT`) when embedding JSON data in Blade templates, as done in the patched commit.'}, {'type': 'list_item', 'content': 'Whitelist and sanitize user-controllable fields that are serialized and sent to the client to prevent injection of malicious scripts.'}, {'type': 'list_item', 'content': 'Normalize and validate user input on profile fields at the time of data entry to restrict dangerous content.'}, {'type': 'list_item', 'content': "Apply the database migration that sets inconsistent or null user state values to a safe default (`'active'`) to ensure consistent user state handling."}, {'type': 'list_item', 'content': 'Review and apply the patch from commit `e28edb204e80efab628d1241198ea4f079779cfd` which addresses this vulnerability.'}] [1, 2]