CVE-2026-42224
Stored XSS in Ipl Web Prior to Version 0.13.1
Publication date: 2026-05-08
Last updated on: 2026-05-08
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| ipl | web | to 0.13.1 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
How can this vulnerability impact me? :
This vulnerability can lead to serious security impacts including unauthorized execution of malicious Javascript code within the victim's browser session on Icinga Web. This can result in data theft, session hijacking, or other malicious actions performed with the victim's privileges. The victim may not be aware of the attack as it requires only visiting a maliciously prepared website.
Can you explain this vulnerability to me?
The vulnerability exists in ipl/web, a set of common web components for PHP projects, prior to version 0.13.1. It allows an attacker to inject malicious Javascript into a victim's browser, causing the script to run in the context of Icinga Web. This means that if a victim visits a specially crafted website, the attacker can execute harmful code without the victim immediately noticing any wrongdoing.
What immediate steps should I take to mitigate this vulnerability?
The vulnerability in ipl/web allows malicious Javascript injection prior to version 0.13.1. To mitigate this vulnerability, you should upgrade ipl/web to version 0.13.1 or later, where the issue has been patched.