CVE-2026-36906
Deferred Deferred - Pending Action

Cross Site Scripting in iotgateway v3.0.1

Vulnerability report for CVE-2026-36906, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-05-11

Last updated on: 2026-07-05

Assigner: MITRE

Description

Cross Site Scripting vulnerability in iotgateway v.3.0.1 allows a remote attacker to execute arbitrary code via the Log Record Function

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-05-11
Last Modified
2026-07-05
Generated
2026-07-11
AI Q&A
2026-05-11
EPSS Evaluated
2026-07-09
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
iioter iotgateway to 3.0.1 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Compliance Impact

The provided information does not specify how the Cross Site Scripting (XSS) vulnerability in iotgateway v3.0.1 impacts compliance with common standards and regulations such as GDPR or HIPAA.

Executive Summary

CVE-2026-36906 is a stored Cross-Site Scripting (XSS) vulnerability found in the iotgateway project, specifically in version 3.0.1 and earlier.

The vulnerability exists in the log record function, particularly in the endpoints /_Admin/ActionLog/Search and /_Admin/ActionLog/Details.

When a user makes an HTTP API call, the system logs details such as the user's IP address, which is retrieved from the X-Forwarded-For header without proper sanitization.

An attacker can exploit this by injecting malicious scripts into the X-Forwarded-For header, which then gets stored in the logs and later rendered in the frontend, triggering the XSS attack.

Impact Analysis

This vulnerability allows a remote attacker to execute arbitrary scripts in the context of the affected application.

Such an attack can lead to unauthorized actions on behalf of legitimate users, theft of sensitive information such as session tokens, or manipulation of the user interface.

Because the malicious script is stored and rendered later, it can affect multiple users who view the logs, increasing the potential impact.

Detection Guidance

This vulnerability can be detected by inspecting HTTP API calls to the iotgateway endpoints `/_Admin/ActionLog/Search` and `/_Admin/ActionLog/Details` for suspicious or malicious content in the `X-Forwarded-For` header.

Specifically, you can look for entries in the logs where the `X-Forwarded-For` header contains script tags or other HTML elements that could trigger Cross-Site Scripting (XSS) attacks.

  • Use network monitoring tools like tcpdump or Wireshark to capture HTTP requests and filter for the `X-Forwarded-For` header.
  • Example command to capture HTTP traffic and filter for `X-Forwarded-For` header using tcpdump: `tcpdump -A -s 0 'tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)' | grep 'X-Forwarded-For'`
  • Search the application logs for entries containing suspicious script injections, e.g., grep for `<img` or `onerror` in the log files related to action logs.
Mitigation Strategies

To mitigate this vulnerability immediately, you should sanitize and validate the `X-Forwarded-For` header input before logging or rendering it in the frontend.

If a patch or updated version of iotgateway is available that fixes this issue, apply it as soon as possible.

  • Implement input validation to strip or encode HTML tags and scripts from the `X-Forwarded-For` header.
  • Restrict or disable the use of the `X-Forwarded-For` header if it is not necessary for your environment.
  • Review and sanitize all user input that is logged and later rendered in the frontend to prevent stored XSS.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-36906. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart