CVE-2026-42224
Deferred Deferred - Pending Action
Stored XSS in Ipl Web Prior to Version 0.13.1

Publication date: 2026-05-08

Last updated on: 2026-06-09

Assigner: GitHub, Inc.

Description
ipl/web is a set of common web components for php projects. Prior to versions 0.13.1 and 0.10.3, the vulnerability allows an attacker to inject malicious Javascript into a victim's browser to run it in the context of Icinga Web. The victim needs to visit a specifically prepared website and may have no immediate chance to notice any wrongdoing. This issue has been patched in versions 0.13.1 and 0.10.3.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-08
Last Modified
2026-06-09
Generated
2026-06-19
AI Q&A
2026-05-09
EPSS Evaluated
2026-06-18
NVD
CVE-2026-42224
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
ipl web to 0.13.1 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Impact Analysis

This vulnerability can lead to serious security impacts including unauthorized execution of malicious Javascript code within the victim's browser session on Icinga Web. This can result in data theft, session hijacking, or other malicious actions performed with the victim's privileges. The victim may not be aware of the attack as it requires only visiting a maliciously prepared website.

Mitigation Strategies

The vulnerability in ipl/web allows malicious Javascript injection prior to version 0.13.1. To mitigate this vulnerability, you should upgrade ipl/web to version 0.13.1 or later, where the issue has been patched.

Executive Summary

The vulnerability exists in ipl/web, a set of common web components for PHP projects, prior to version 0.13.1. It allows an attacker to inject malicious Javascript into a victim's browser, causing the script to run in the context of Icinga Web. This means that if a victim visits a specially crafted website, the attacker can execute harmful code without the victim immediately noticing any wrongdoing.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-42224. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart