CVE-2026-55437
Received Received - Intake

Stored XSS in Coder Remote Development Environments via Agent Logs

Vulnerability report for CVE-2026-55437, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-08

Last updated on: 2026-07-08

Assigner: GitHub, Inc.

Description

Coder allows organizations to provision remote development environments via Terraform. Prior to versions 2.29.17, 2.32.7, 2.33.8, and 2.34.2, the `AgentLogLine` dashboard component instantiated `ansi-to-html` without `escapeXML: true` and inserted the result via `dangerouslySetInnerHTML` so HTML embedded in workspace agent log lines was rendered as live markup. Server-side sanitization did not neutralize HTML metacharacters. Exploitation requires a victim to view attacker-controlled agent logs in the dashboard. The fix in versions 2.29.17, 2.32.7, 2.33.8, and 2.34.2 enables `escapeXML: true` so HTML metacharacters are escaped before DOM insertion. No known workarounds are available.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-08
Last Modified
2026-07-08
Generated
2026-07-08
AI Q&A
2026-07-08
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
coder coder to 2.29.17|end_excluding=2.32.7|end_excluding=2.33.8|end_excluding=2.34.2 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-55437 is a stored HTML injection vulnerability in the Coder platform's AgentLogLine dashboard component. The issue occurs because the component uses the ansi-to-html library without enabling proper HTML escaping, which causes HTML embedded in workspace agent log lines to be rendered as live markup in the dashboard.

This means that if an attacker can insert malicious HTML into agent logs, and a victim views those logs in the dashboard, the malicious HTML will be executed or rendered. The vulnerability arises from the lack of server-side sanitization and the use of dangerouslySetInnerHTML without escaping HTML metacharacters.

The vulnerability requires the attacker to have workspace-owner access to insert malicious content and requires user interaction for the victim to view the logs. The issue has been fixed in versions 2.29.17, 2.32.7, 2.33.8, and 2.34.2 by enabling escapeXML to true, which escapes HTML metacharacters before insertion into the DOM.

Impact Analysis

This vulnerability can lead to Cross-Site Scripting (XSS) attacks when a victim views attacker-controlled agent logs in the dashboard. Although inline scripts are blocked by Content Security Policy, attackers can still exploit the vulnerability to inject harmful HTML elements such as meta refresh redirects, CSS-based UI redressing, or external image beacons.

Such attacks can compromise the integrity and confidentiality of the user's session, potentially leading to phishing, UI manipulation, or data leakage. The vulnerability has a medium severity score (CVSS 5.4) with low attack complexity but requires user interaction.

Detection Guidance

This vulnerability involves unescaped HTML content being rendered in the AgentLogLine dashboard component when viewing workspace agent logs. Detection involves verifying if the affected Coder platform versions are in use and checking whether agent logs contain unescaped HTML that could be rendered as live markup.

Since the vulnerability requires viewing attacker-controlled logs, you can inspect logs in the dashboard for suspicious HTML content or injected elements such as meta refresh tags or external image beacons.

No specific detection commands are provided in the available resources.

Mitigation Strategies

The primary mitigation step is to upgrade the Coder platform to one of the patched versions: 2.29.17, 2.32.7, 2.33.8, or 2.34.2, where the vulnerability has been fixed by enabling proper HTML escaping in the AgentLogLine component.

No known workarounds are available, so upgrading is essential to prevent exploitation.

Additionally, review user permissions to limit workspace-owner access to trusted users, as exploitation requires attacker control over workspace logs and victim interaction.

Compliance Impact

The provided information does not explicitly address how this vulnerability impacts compliance with common standards and regulations such as GDPR or HIPAA.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-55437. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart