CVE-2026-42224 | THREATINT

Description

ipl/web is a set of common web components for php projects. Prior to version 0.13.1, the vulnerability allows an attacker to inject malicious Javascript into a victim's browser to run it in the context of Icinga Web. The victim needs to visit a specifically prepared website and may have no immediate chance to notice any wrongdoing. This issue has been patched in version 0.13.1.

PUBLISHED Reserved 2026-04-25 | Published 2026-05-08 | Updated 2026-05-08 | Assigner GitHub_M

HIGH: 7.6CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:H/I:H/A:H

Problem types

CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Product status

< 0.13.1

affected

References

github.com/...pl-web/security/advisories/GHSA-55wf-5m3q-6jjf

github.com/...ommit/f387e92504d7a03bb857d1aee9b7410e06dd065d

github.com/Icinga/ipl-web/releases/tag/v0.13.1

cve.org (CVE-2026-42224)

nvd.nist.gov (CVE-2026-42224)

Download JSON