Description
A security flaw has been discovered in questdb ui up to 1.11.9. Impacted is an unknown function of the component Web Console. The manipulation results in cross site scripting. The attack can be executed remotely. The exploit has been released to the public and may be used for attacks. Upgrading to version 1.1.10 is recommended to address this issue. The patch is identified as b42fd9f18476d844ae181a10a249e003dafb823d. You should upgrade the affected component. The vendor confirmed early that the fix "is going to be released as a part of QuestDB 9.3.0" as well.
Published: 2026-01-10
Score: 5.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Cross‑Site Scripting
Action: Patch Now
AI Analysis

Impact

A cross‑site scripting vulnerability exists in the QuestDB UI Web Console component, affecting all releases up to version 1.11.9. The flaw allows an attacker to inject malicious scripts into the console interface, enabling the execution of arbitrary client‑side code within the context of a user’s browser session. The weakness corresponds to CWE‑79 (XSS) and potentially CWE‑94 (Code Injection) due to the manipulation of unknown functions within the web console.

Affected Systems

The vulnerability impacts the QuestDB UI component used in the QuestDB database system. Versions of the UI up to, but not including, 1.1.10 are affected. The fix is contained in commit b42fd9f18476d844ae181a10a249e003dafb823d and will be incorporated into QuestDB 9.3.0 releases; upgrading to 1.1.10 or later resolves the issue.

Risk and Exploitability

The CVSS score of 5.1 signifies a moderate severity, while an EPSS score below 1% indicates a low likelihood of exploitation in the wild., the exploit code is publicly available and the attack can be performed remotely via the Web Console interface. The vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog, but its publicly released exploit increases concern for environments that expose the Web Console to remote users.

Generated by OpenCVE AI on April 18, 2026 at 07:07 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the QuestDB UI component to version 1.1.10 or newer, which includes the commit that patches the XSS flaw.
  • If an immediate upgrade is not feasible, restrict or disable external access to the Web Console (e.g., firewall rules, network segmentation, or role‑based access controls).
  • When custom code modifications are present, ensure that all user‑provided data is properly encoded or escaped before rendering to prevent malicious script injection.

Generated by OpenCVE AI on April 18, 2026 at 07:07 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-xf94-h87h-g9wr QuestDB UI's Web Console is Vulnerable to Cross-Site Scripting
History

Mon, 23 Feb 2026 08:45:00 +0000

Type Values Removed Values Added
References

Wed, 14 Jan 2026 00:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 threat_severity

Moderate

Mon, 12 Jan 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 12 Jan 2026 14:45:00 +0000

Type Values Removed Values Added
First Time appeared Questdb
Questdb ui
Vendors & Products Questdb
Questdb ui

Sat, 10 Jan 2026 14:45:00 +0000

Type Values Removed Values Added
Description A security flaw has been discovered in questdb ui up to 1.11.9. Impacted is an unknown function of the component Web Console. The manipulation results in cross site scripting. The attack can be executed remotely. The exploit has been released to the public and may be used for attacks. Upgrading to version 1.1.10 is recommended to address this issue. The patch is identified as b42fd9f18476d844ae181a10a249e003dafb823d. You should upgrade the affected component. The vendor confirmed early that the fix "is going to be released as a part of QuestDB 9.3.0" as well.
Title questdb ui Web Console cross site scripting
Weaknesses CWE-79
CWE-94
References
Metrics cvssV2_0

{'score': 4, 'vector': 'AV:N/AC:L/Au:S/C:N/I:P/A:N/E:POC/RL:OF/RC:C'}

cvssV3_0

{'score': 3.5, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N/E:P/RL:O/RC:C'}

cvssV3_1

{'score': 3.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N/E:P/RL:O/RC:C'}

cvssV4_0

{'score': 5.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Questdb Ui
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-02-23T08:28:25.943Z

Reserved: 2026-01-09T18:34:33.813Z

Link: CVE-2026-0824

cve-icon Vulnrichment

Updated: 2026-01-12T18:26:17.945Z

cve-icon NVD

Status : Deferred

Published: 2026-01-10T15:15:50.137

Modified: 2026-04-15T00:35:42.020

Link: CVE-2026-0824

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-01-10T14:32:08Z

Links: CVE-2026-0824 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T07:15:25Z

Weaknesses