CVE-2026-50876
Received Received - Intake
XSS Vulnerability in Deck9 Input v2.0.1

Publication date: 2026-06-15

Last updated on: 2026-06-15

Assigner: MITRE

Description
A cross-site scripting (XSS) vulnerability in Deck9 Input v2.0.1 allows attackers to execute arbitrary web scripts or HTML via a crafted payload.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-15
Last Modified
2026-06-15
Generated
2026-06-16
AI Q&A
2026-06-16
EPSS Evaluated
N/A
NVD
CVE-2026-50876
EUVD
EUVD-2026-36774
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
deck9 input 2.0.1
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

The vulnerability allows attackers to execute arbitrary scripts in the context of authenticated users, potentially leading to unauthorized access to session data and application information.

Such unauthorized access and potential data exposure could impact compliance with standards and regulations like GDPR and HIPAA, which require protection of personal and sensitive data against unauthorized access and breaches.

The vulnerability arises from improper sanitization of webhook response data, highlighting a failure to adequately protect user data and application integrity, which are key compliance requirements.

Executive Summary

This vulnerability is a stored cross-site scripting (XSS) issue in Deck9 Input version 2.0.1. It occurs because the application stores the raw HTTP response body from a configured webhook URL and later renders it as HTML in the frontend without proper sanitization.

An attacker can exploit this by configuring a form webhook to point to a malicious endpoint that returns HTML or JavaScript content. When a user submits the form and views the webhook status, the malicious content is rendered and executed in the user's browser.

This allows the attacker to execute arbitrary web scripts or HTML in the context of the authenticated user's session, potentially accessing session data and other sensitive information.

Impact Analysis

This vulnerability can impact you by allowing attackers to execute malicious scripts in your browser when you view the webhook submission status in Deck9 Input.

Such script execution can lead to theft of your session data, unauthorized actions performed on your behalf within the application, and exposure of sensitive information accessible through the same-origin policy.

The impact is particularly relevant for users who have access to view submission statuses, as they are the ones exposed to the malicious stored content.

Detection Guidance

This vulnerability can be detected by checking if the Deck9 Input v2.0.1 application renders webhook response bodies as HTML without proper sanitization. Specifically, you can test by configuring a form webhook to point to a controlled endpoint that returns HTML or JavaScript content and then submitting the form to see if the response is rendered as active content in the submission webhook status UI.

There are no specific commands provided to detect this vulnerability on the network or system, but manual testing involves observing the webhook status page for execution of injected scripts.

Mitigation Strategies

To mitigate this vulnerability immediately, ensure that the application properly sanitizes or escapes the webhook response bodies before rendering them in the frontend. Avoid rendering raw HTML or script content from external webhook responses.

Additionally, restrict the ability to configure webhooks to trusted endpoints only, and review user permissions to limit who can view submission statuses where the stored responses are displayed.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-50876. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart