CVE-2026-45778
Analyzed Analyzed - Analysis Complete

Stored XSS in OpenXDMoD User Profile

Vulnerability report for CVE-2026-45778, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-06-05

Last updated on: 2026-06-10

Assigner: GitHub, Inc.

Description

OpenXDMoD is an open framework for collecting and analyzing HPC metrics. Prior to version 11.0.3, an authenticated attacker can inject malicious JavaScript into their Open XDMoD user profile and abuse the password reset functionality to email a link to an HTML page, which when visited by the victim, reflects and executes the unsanitized payload in the victim's browser, potentially leading to credential capture and Open XDMoD account takeover. All deployments of Open XDMoD prior to 11.0.3 are impacted. This issue was reported privately on 2026-04-06, and at this time there is no evidence that this vulnerability has been exploited in the wild. The vulnerability was patched in Open XDMoD 11.0.3 on 2026-05-12. As a workaround, apply the patch manually.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-05
Last Modified
2026-06-10
Generated
2026-07-17
AI Q&A
2026-06-05
EPSS Evaluated
2026-07-15
NVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
buffalo open_xdmod to 11.0.3 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-45778 is a Reflected Cross-Site Scripting (XSS) vulnerability in the password reset functionality of Open XDMoD versions prior to 11.0.3.

An authenticated attacker can inject malicious JavaScript into their Open XDMoD user profile and then abuse the password reset feature to send a crafted link to a victim.

When the victim clicks the link, the malicious JavaScript executes in their browser because the payload is not properly sanitized, potentially leading to credential theft and account takeover.

Detection Guidance

This vulnerability involves an authenticated attacker injecting malicious JavaScript into their Open XDMoD user profile and exploiting the password reset functionality to send a crafted link. Detection would involve monitoring for unusual or suspicious password reset emails containing unexpected or suspicious URLs.

Since the vulnerability is a reflected Cross-Site Scripting (XSS) issue triggered via crafted password reset links, network detection could include inspecting outgoing password reset emails for suspicious payloads or JavaScript code embedded in URLs.

On the system side, commands to check the Open XDMoD version can help determine if the system is vulnerable (versions prior to 11.0.3 are affected). For example, checking the installed package version or the application version via command line or web interface.

  • Check Open XDMoD version to confirm if it is prior to 11.0.3 (vulnerable):
  • Use a command like `xdmod --version` or check the version in the application UI or installation directory.
  • Monitor outgoing emails for password reset links containing suspicious JavaScript payloads.
  • Review user profiles for injected JavaScript code if possible.

No specific detection commands or scripts are provided in the available resources.

Impact Analysis

This vulnerability can lead to the compromise of your Open XDMoD account through credential capture.

An attacker can take over your account by tricking you into clicking a malicious link that executes injected JavaScript in your browser.

The impact affects the confidentiality and integrity of your account data, but does not affect system availability.

Compliance Impact

The vulnerability in Open XDMoD allows an authenticated attacker to inject malicious JavaScript that can lead to credential theft and account takeover. This impacts the confidentiality and integrity of user data.

Such a compromise of user credentials and potential unauthorized access to accounts could lead to violations of data protection regulations like GDPR and HIPAA, which require safeguarding personal and sensitive information against unauthorized access.

Therefore, if exploited, this vulnerability could negatively affect compliance with these common standards by exposing sensitive user data and failing to maintain adequate security controls.

Mitigation Strategies

To mitigate this vulnerability, immediately upgrade Open XDMoD to version 11.0.3 or later, where the issue has been patched.

If upgrading is not possible right away, apply the provided manual patch as a temporary workaround to fix the vulnerability.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-45778. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart