CVE-2026-44960
Received Received - Intake
Stored XSS in Audit Log via Malicious Usernames

Publication date: 2026-06-23

Last updated on: 2026-06-23

Assigner: HackerOne

Description
A stored XSS can be exploited by leveraging the usernames as an attack vector. When an admin user viewed the audit log details for affected entries, any malicious JavaScript payload embedded in the username would be executed due to missing output sanitisation. Proper escaping has been added to the audit log details output.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-23
Last Modified
2026-06-23
Generated
2026-06-23
AI Q&A
2026-06-23
EPSS Evaluated
N/A
NVD
CVE-2026-44960
EUVD
EUVD-2026-38503
Affected Vendors & Products
Currently, no data is known.
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability is a stored Cross-Site Scripting (XSS) issue that occurs by using usernames as an attack vector. Specifically, when an administrator views the audit log details for affected entries, any malicious JavaScript code embedded within a username is executed because the output is not properly sanitized or escaped.

The problem arises from missing output sanitisation in the audit log details, allowing the malicious script to run in the admin's browser context.

The issue has been addressed by adding proper escaping to the audit log details output to prevent execution of malicious scripts.

Impact Analysis

If exploited, this vulnerability could allow an attacker to execute arbitrary JavaScript code in the context of an administrator's browser when they view audit log details.

This could potentially lead to unauthorized actions performed by the admin user unknowingly, such as session hijacking, data theft, or manipulation of the admin interface.

However, the CVSS base score is 0.0, indicating that the vulnerability may have limited impact or requires specific conditions to be exploited.

Mitigation Strategies

To mitigate this vulnerability, ensure that proper output sanitisation or escaping is applied to usernames displayed in audit log details, especially when viewed by admin users.

Review and update your system or application to include the patch or fix that adds proper escaping to the audit log details output.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-44960. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart