EXECUTIVE SUMMARY:
CVE-2026-42224 with a CVSS score of 7.7 is a vulnerability in the ipl/web package of the Composer project, specifically impacting versions. This issue is classified as a reflected Cross-site Scripting (XSS) vulnerability, where an attacker can inject malicious JavaScript into a victim's browser to run it in the context of Icinga Web. An attacker can exploit this vulnerability by sending a malformed search request to a compromised Icinga Web instance, requiring only a victim to visit a specifically prepared website, potentially without immediate detection. If exploited, this vulnerability allows an attacker to gain the capability to inject and execute arbitrary JavaScript code, resulting in significant business impact, including potential data exfiltration, unauthorized access, and system compromise. To exploit this vulnerability, no prerequisites or specific conditions are required beyond the affected package version and a victim visiting a malicious website.[/subscribe_to_unlock_form]
EXECUTIVE SUMMARY:
CVE-2026-42224 with a CVSS score of 7.7 is a vulnerability in the ipl/web package of the Composer project, specifically impacting versions. This issue is classified as a reflected Cross-site Scripting (XSS) vulnerability, where an attacker can inject malicious JavaScript into a victim's browser to run it in the context of Icinga Web. An attacker can exploit this vulnerability by sending a malformed search request to a compromised Icinga Web instance, requiring only a victim to visit a specifically prepared website, potentially without immediate detection. If exploited, this vulnerability allows an attacker to gain the capability to inject and execute arbitrary JavaScript code, resulting in significant business impact, including potential data exfiltration, unauthorized access, and system compromise. To exploit this vulnerability, no prerequisites or specific conditions are required beyond the affected package version and a victim visiting a malicious website.[emaillocker id="1283"]
RECOMMENDATION:
We recommend you to update ipl/web to version 0.13.1 or later.
REFERENCES:
The following reports contain further technical details:
https://github.com/advisories/GHSA-55wf-5m3q-6jjf