CVE-2026-3951
Received Received - Intake
Remote XSS in LockerProject Locker authIsAwesome Function

Publication date: 2026-03-11

Last updated on: 2026-04-29

Assigner: VulDB

Description
A security flaw has been discovered in LockerProject Locker 0.0.0/0.0.1/0.1.0. Affected is the function authIsAwesome of the file source-code/Locker-master/Ops/registry.js of the component Error Response Handler. The manipulation of the argument ID results in cross site scripting. The attack can be launched remotely. The exploit has been released to the public and may be used for attacks. The project was informed of the problem early through an issue report but has not responded yet.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-11
Last Modified
2026-04-29
Generated
2026-06-16
AI Q&A
2026-03-11
EPSS Evaluated
2026-06-14
NVD
CVE-2026-3951
EUVD
EUVD-2026-11347
Affected Vendors & Products
Showing 4 associated CPEs
Vendor Product Version / Range
lockerproject locker 0.0.0
lockerproject locker 0.0.1
lockerproject locker 0.1.0
lockerproject locker to 0.1.0 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
CWE-94 The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

[{'type': 'paragraph', 'content': "CVE-2026-3951 is a reflected Cross-Site Scripting (XSS) vulnerability in LockerProject Locker versions 0.0.0, 0.0.1, and 0.1.0. It affects the function authIsAwesome in the file registry.js, part of the Error Response Handler component. The vulnerability occurs because the id parameter from user input is directly concatenated into an HTTP error response without any sanitization or encoding. This allows an attacker to inject arbitrary JavaScript code that is executed in the victim's browser when the crafted URL is accessed."}, {'type': 'paragraph', 'content': "The attack can be launched remotely and does not require authentication, but it requires some user interaction to trigger the malicious script. A proof-of-concept exploit uses a specially crafted SVG payload that triggers an alert in the victim's browser, confirming the vulnerability."}] [1, 3, 4]

Compliance Impact

I don't know

Impact Analysis

[{'type': 'paragraph', 'content': "This vulnerability allows remote attackers to execute arbitrary JavaScript code in the context of a victim's browser. This can lead to several impacts including session hijacking, defacement of web pages, theft of sensitive information, or performing actions on behalf of the user without their consent."}, {'type': 'paragraph', 'content': 'Because the vulnerability is reflected XSS, it requires the victim to interact with a crafted URL or link. The exploit is publicly available, increasing the risk of attacks. The vulnerability impacts data integrity and can compromise user trust and security.'}] [1, 3, 4]

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability can be detected by sending specially crafted HTTP requests to the vulnerable LockerProject Locker endpoint that includes the `id` parameter in the URL path. If the server response reflects the injected payload verbatim without sanitization, it confirms the presence of the reflected XSS vulnerability.'}, {'type': 'paragraph', 'content': 'A proof-of-concept uses a payload such as `<SvG oNlOAD=alert("zast-xss")>` inserted as the `id` parameter in the URL path. When the server responds with this payload reflected in the HTTP response body, it indicates the vulnerability.'}, {'type': 'paragraph', 'content': 'Example command using curl to test the vulnerability:'}, {'type': 'list_item', 'content': 'curl -i "http://[target]/[vulnerable_path]/<SvG oNlOAD=alert(\\"zast-xss\\")>"'}, {'type': 'paragraph', 'content': 'If the response body contains the payload string without encoding or sanitization, the system is vulnerable.'}, {'type': 'paragraph', 'content': 'Additionally, a Python script using the requests library can be used to automate this test by sending a GET request with the crafted payload and checking the response for the reflected payload.'}] [3, 4, 1]

Mitigation Strategies

Currently, no official countermeasures or patches have been published by the LockerProject maintainers, and the project has not responded to the issue report.

Immediate mitigation steps include:

  • Avoid using the affected versions (0.0.0, 0.0.1, 0.1.0) of LockerProject Locker.
  • Consider replacing the affected component with an alternative product that does not have this vulnerability.
  • Implement web application firewall (WAF) rules to detect and block requests containing suspicious payloads targeting the `id` parameter.
  • If possible, apply input validation and sanitization on the server side to neutralize the `id` parameter before it is reflected in responses.

Monitoring for exploit attempts and restricting access to the vulnerable endpoints can also reduce risk until a proper fix is available.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-3951. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart