CVE-2026-36906
Cross Site Scripting in iotgateway v3.0.1
Publication date: 2026-05-11
Last updated on: 2026-05-11
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-36906 is a stored Cross-Site Scripting (XSS) vulnerability found in the iotgateway project, specifically in version 3.0.1 and earlier.
The vulnerability exists in the log record function, particularly in the endpoints /_Admin/ActionLog/Search and /_Admin/ActionLog/Details.
When a user makes an HTTP API call, the system logs details such as the user's IP address, which is retrieved from the X-Forwarded-For header without proper sanitization.
An attacker can exploit this by injecting malicious scripts into the X-Forwarded-For header, which then gets stored in the logs and later rendered in the frontend, triggering the XSS attack.
How can this vulnerability impact me? :
This vulnerability allows a remote attacker to execute arbitrary scripts in the context of the affected application.
Such an attack can lead to unauthorized actions on behalf of legitimate users, theft of sensitive information such as session tokens, or manipulation of the user interface.
Because the malicious script is stored and rendered later, it can affect multiple users who view the logs, increasing the potential impact.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by inspecting HTTP API calls to the iotgateway endpoints `/_Admin/ActionLog/Search` and `/_Admin/ActionLog/Details` for suspicious or malicious content in the `X-Forwarded-For` header.
Specifically, you can look for entries in the logs where the `X-Forwarded-For` header contains script tags or other HTML elements that could trigger Cross-Site Scripting (XSS) attacks.
- Use network monitoring tools like tcpdump or Wireshark to capture HTTP requests and filter for the `X-Forwarded-For` header.
- Example command to capture HTTP traffic and filter for `X-Forwarded-For` header using tcpdump: `tcpdump -A -s 0 'tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)' | grep 'X-Forwarded-For'`
- Search the application logs for entries containing suspicious script injections, e.g., grep for `<img` or `onerror` in the log files related to action logs.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability immediately, you should sanitize and validate the `X-Forwarded-For` header input before logging or rendering it in the frontend.
If a patch or updated version of iotgateway is available that fixes this issue, apply it as soon as possible.
- Implement input validation to strip or encode HTML tags and scripts from the `X-Forwarded-For` header.
- Restrict or disable the use of the `X-Forwarded-For` header if it is not necessary for your environment.
- Review and sanitize all user input that is logged and later rendered in the frontend to prevent stored XSS.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided information does not specify how the Cross Site Scripting (XSS) vulnerability in iotgateway v3.0.1 impacts compliance with common standards and regulations such as GDPR or HIPAA.