Threat Advisory

ethyca-fides DOM-Based XSS Vulnerability

Threat: Vulnerability
Targeted Region: Global
Targeted Sector: Technology & IT
Criticality: High
[subscribe_to_unlock_form]

EXECUTIVE SUMMARY:

CVE-2026-44541 with a CVSS score of 7.5 is a DOM-based XSS vulnerability in fides.js via fides_description override, affecting the ethyca-fides package, specifically versions 2.33.0 and later, prior to 2.84.5, when HTML-formatted descriptions are enabled. An attacker can exploit this vulnerability by crafting a malicious link, with no authentication required, that triggers an alert when the consent banner is rendered, allowing arbitrary JavaScript execution in the embedding site's origin with the same authority as the site's own scripts. This exploit grants the attacker the capability to read and modify any data the page can access, issue requests on behalf of the visitor, and render content that appears trusted to the visitor. The business impact of this vulnerability is critical, as a successful exploit can lead to a compromised website, potentially resulting in financial loss, damage to reputation, and loss of customer trust. The exploitation requires no prerequisites or conditions other than the affected deployment having HTML-formatted banner descriptions enabled and the fides.js script loaded.[/subscribe_to_unlock_form]

EXECUTIVE SUMMARY:

CVE-2026-44541 with a CVSS score of 7.5 is a DOM-based XSS vulnerability in fides.js via fides_description override, affecting the ethyca-fides package, specifically versions 2.33.0 and later, prior to 2.84.5, when HTML-formatted descriptions are enabled. An attacker can exploit this vulnerability by crafting a malicious link, with no authentication required, that triggers an alert when the consent banner is rendered, allowing arbitrary JavaScript execution in the embedding site's origin with the same authority as the site's own scripts. This exploit grants the attacker the capability to read and modify any data the page can access, issue requests on behalf of the visitor, and render content that appears trusted to the visitor. The business impact of this vulnerability is critical, as a successful exploit can lead to a compromised website, potentially resulting in financial loss, damage to reputation, and loss of customer trust. The exploitation requires no prerequisites or conditions other than the affected deployment having HTML-formatted banner descriptions enabled and the fides.js script loaded.[emaillocker id="1283"]

RECOMMENDATION:

  • We recommend you to update ethyca-fides to version 2.84.5.

REFERENCES:

The following reports contain further technical details:
https://github.com/advisories/GHSA-5qrq-9645-g5g2

[/emaillocker]
crossmenu