CVE-2026-41200
Reflected XSS in STIG Manager OIDC Enables Authenticated API Access
Publication date: 2026-04-23
Last updated on: 2026-04-23
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| nuwcddivnpt | stig_manager | From 1.5.10 (inc) to 1.6.8 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability allows an attacker to execute arbitrary JavaScript in the context of the STIG Manager application, potentially enabling unauthorized access to sensitive data by performing authenticated API requests on behalf of the victim.
Such unauthorized access and modification of sensitive information can lead to breaches of confidentiality and integrity, which are critical requirements under common standards and regulations like GDPR and HIPAA.
Therefore, if exploited, this vulnerability could result in non-compliance with these regulations due to unauthorized data exposure or alteration.
Mitigation requires upgrading to version 1.6.8, as partial protections like Web Application Firewalls are not sufficient to fully address the risk.
Can you explain this vulnerability to me?
CVE-2026-41200 is a high-severity reflected Cross-Site Scripting (XSS) vulnerability in the STIG Manager Web App versions 1.5.10 through 1.6.7. It occurs in the OpenID Connect (OIDC) authentication error handling code, where the `error` and `error_description` query parameters returned by the OIDC provider are inserted directly into the web page's DOM using `innerHTML` without proper HTML escaping.
This improper handling allows an attacker to craft malicious URLs that, when visited by a user, execute arbitrary JavaScript within the application's origin context. The vulnerability is especially dangerous if the user has an active STIG Manager session open in another browser tab, as the injected script can interact with the SharedWorker managing the user's active access token.
This interaction enables the attacker to perform authenticated API requests on behalf of the victim, including reading and modifying sensitive collection data. The vulnerability is patched in version 1.6.8, and there is no workaround other than upgrading.
How can this vulnerability impact me? :
This vulnerability can have serious impacts including unauthorized execution of arbitrary JavaScript code within the application's origin context.
If exploited, especially when the victim has an active STIG Manager session, the attacker can use the injected script to communicate with the SharedWorker managing the victim's access token.
This allows the attacker to perform authenticated API requests on behalf of the victim, which can lead to reading and modifying sensitive data collections, thereby compromising confidentiality and integrity of the data.
The vulnerability requires no privileges to exploit but does require the victim to interact by following a malicious link.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by identifying if your STIG Manager deployment is running a vulnerable version between 1.5.10 and 1.6.7 and by checking for reflected Cross-Site Scripting (XSS) attempts in the OIDC authentication error handling flow.
One way to detect exploitation attempts is to monitor HTTP requests for suspicious URLs containing the `error` and `error_description` query parameters with potentially malicious JavaScript payloads.
You can use web server logs or network monitoring tools to search for such patterns.
Example commands to detect suspicious requests in web server logs (assuming Apache logs):
- grep -i 'error=' /var/log/apache2/access.log | grep -E '<script|javascript:'
- grep -i 'error_description=' /var/log/apache2/access.log | grep -E '<script|javascript:'
Additionally, you can use web vulnerability scanners that detect reflected XSS vulnerabilities by testing the OIDC redirect URLs with crafted payloads.
What immediate steps should I take to mitigate this vulnerability?
The only effective mitigation for this vulnerability is to upgrade STIG Manager to version 1.6.8 or later, where the reflected XSS issue in the OIDC authentication error handling code has been patched.
There is no workaround other than upgrading.
Deployments behind a Web Application Firewall (WAF) that filters reflected XSS payloads in query parameters may have partial mitigation, but this should not be relied upon as a substitute for patching.
Users should avoid following suspicious or untrusted OIDC redirect URLs that contain error parameters until the upgrade is applied.