CVE-2026-48788
Received Received - Intake
Cross-Site Scripting in Remark42 via Content-Type Spoofing

Publication date: 2026-06-17

Last updated on: 2026-06-17

Assigner: GitHub, Inc.

Description
Remark42 is a self-hosted comment engine for blogs, articles, or any other place where readers can add comments. Versions 1.6.0 through 1.15.0 contain a Cross-Site Scripting (XSS) vulnerability exploitable through content-type spoofing. The Remark42 image proxy fetches an arbitrary remote URL and re-serves the response from Remark42's own origin. During the download phase, the proxy determines whether the resource is an image by inspecting only the Content-Type header advertised by the remote server, never examining the actual bytes; during the serving phase, it instead derives the response Content-Type by sniffing those bytes with http.DetectContentType. An attacker can exploit this inconsistency by hosting a URL that advertises Content-Type: image/png while returning an HTML/JavaScript body: the download check accepts it as an image, the serving path sniffs the body and emits Content-Type: text/html, and the browser renders the attacker-controlled HTML/JavaScript as a document within Remark42's origin. Exploitation requires no Remark42 account on the target instance; the attacker only needs to host the malicious upstream URL and deliver the proxy link to a victim by any means, such as email, direct message, or a link on another website. This issue has been fixed in version 1.16.0.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-17
Last Modified
2026-06-17
Generated
2026-06-17
AI Q&A
2026-06-17
EPSS Evaluated
N/A
NVD
CVE-2026-48788
Affected Vendors & Products
Showing 4 associated CPEs
Vendor Product Version / Range
remark42 remark42 From 1.6.0 (inc) to 1.15.0 (inc)
remark42 remark42 1.16.0
umputun remark42 From 1.6.0 (inc) to 1.15.0 (inc)
umputun remark42 1.16.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
CWE-436 Product A handles inputs or steps differently than Product B, which causes A to perform incorrect actions based on its perception of B's state.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-48788 is a Cross-Site Scripting (XSS) vulnerability in the Remark42 image proxy, affecting versions 1.6.0 through 1.15.0. The proxy fetches remote URLs and serves them from Remark42's origin, determining if the resource is an image by only checking the Content-Type header advertised by the remote server, without inspecting the actual content bytes during download. However, when serving the content, it uses byte sniffing to set the Content-Type header. An attacker can exploit this inconsistency by hosting a URL that claims to serve an image (e.g., Content-Type: image/png) but actually returns HTML or JavaScript. The proxy accepts it as an image, but the browser renders the malicious HTML/JavaScript within Remark42's origin, enabling XSS.

Exploitation requires no Remark42 account; the attacker only needs to host the malicious URL and deliver the proxy link to a victim through any means such as email or a link on another website.

Impact Analysis

This vulnerability can have serious impacts including enabling attackers to execute malicious scripts within the context of the Remark42 origin. This can lead to theft of cookies, bypassing Cross-Site Request Forgery (CSRF) protections, and performing authenticated API calls on behalf of the victim.

  • Attackers can delete comments, change settings, or execute admin-level commands if the victim has administrative privileges.
  • No user account on the Remark42 instance is required for exploitation, increasing the attack surface.

The vulnerability has a high CVSS score of 8.2, indicating a network-based, low-complexity attack with significant confidentiality impact.

Detection Guidance

Detection of this vulnerability involves identifying if your Remark42 instance is running a vulnerable version (1.6.0 through 1.15.0) and if the image proxy is accepting and serving content with inconsistent Content-Type headers.

You can monitor network traffic or logs for requests to the image proxy that fetch remote URLs where the Content-Type header claims an image type (e.g., image/png) but the actual content is HTML or JavaScript.

A practical approach is to test the proxy by requesting a URL that deliberately spoofs the Content-Type header to image/png but returns HTML content, then observe if the proxy serves it with Content-Type: text/html.

  • Use curl to fetch a suspicious URL through the proxy and inspect headers and content, for example: curl -v "http://your-remark42-instance/image-proxy?url=http://malicious-url"
  • Check logs for unusual or unexpected Content-Type responses or for requests to the image proxy that return HTML content.
  • Scan your Remark42 version by running: remark42 --version or checking your deployment manifest to confirm if it is within the vulnerable range.
Mitigation Strategies

The primary mitigation step is to upgrade Remark42 to version 1.16.0 or later, where this vulnerability has been fixed.

Version 1.16.0 introduces stricter validation by checking the actual content against allowed image types and rejecting non-image content with a 415 error.

It also adds important security headers such as Content-Security-Policy and X-Content-Type-Options to prevent MIME-sniffing and reduce the risk of XSS.

If you use a CDN or caching layer, immediately clear cached images or proxy responses to remove any cached malicious content from before the update.

Review and apply any additional security headers as recommended in the update, such as X-Content-Type-Options: nosniff and Referrer-Policy: strict-origin-when-cross-origin.

Compliance Impact

The vulnerability allows attackers to execute Cross-Site Scripting (XSS) attacks within the Remark42 origin, potentially enabling unauthorized actions such as cookie theft, authenticated API calls, and CSRF bypass. This can lead to unauthorized access to user data and administrative functions.

Such unauthorized access and data exposure could negatively impact compliance with data protection regulations like GDPR and HIPAA, which require safeguarding personal data and preventing unauthorized access or disclosure.

The fix introduced in version 1.16.0 includes stricter content validation and security headers (e.g., Content-Security-Policy, X-Content-Type-Options) to mitigate these risks, helping to maintain compliance with security best practices mandated by these standards.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-48788. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart