Description
Hashgraph Guardian through 3.5.0, fixed in commit ba8c566, contains a stored cross-site scripting vulnerability that allows authenticated users with the STANDARD_REGISTRY role to inject malicious scripts by submitting a crafted companyName value via the branding configuration API endpoint. Attackers can exploit the unsanitized innerHTML assignment in the branding service to execute arbitrary JavaScript in the browser of every authenticated user on every page load.
Published: 2026-06-18
Score: 4.8 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Hashgraph Guardian contains a stored cross‑site scripting flaw that lets authenticated users with the STANDARD_REGISTRY role submit a crafted companyName value through the branding configuration API endpoint. The vulnerability arises from an unsanitized assignment to innerHTML, allowing an attacker to inject arbitrary JavaScript that executes whenever an authenticated user loads any page. The attack can compromise the confidentiality and integrity of data within the victim's browser session and enable malicious actions such as credential theft or session hijacking. No alteration to the server’s internal state occurs, so the impact is confined to the client side of authenticated sessions.

Affected Systems

Hashgraph Guardian up to and including version 3.5.0 is affected. The issue is fixed after the commit ba8c566 in the official repository, so any release incorporating that change is not vulnerable.

Risk and Exploitability

The CVSS score of 4.8 represents a medium level of severity. EPSS data is not available and the vulnerability is not listed in CISA KEV, indicating that no widespread exploitation has been identified yet. The likely attack path requires an authenticated session with STANDARD_REGISTRY privileges to submit the malicious companyName value; it is not exploitable by unauthenticated users.

Generated by OpenCVE AI on June 18, 2026 at 23:35 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Patch the deployment to at least the version that includes commit ba8c566 from the official Hashgraph Guardian repository.
  • If a patch is not immediately possible, modify the branding service to escape or encode the companyName string before assigning it to innerHTML, for example by using textContent or an HTML encoder.
  • Consider revoking or limiting the STANDARD_REGISTRY role’s permission to modify branding settings until a fix can be applied.

Generated by OpenCVE AI on June 18, 2026 at 23:35 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 19 Jun 2026 00:15:00 +0000

Type Values Removed Values Added
First Time appeared Hashgraph
Hashgraph guardian
Vendors & Products Hashgraph
Hashgraph guardian

Thu, 18 Jun 2026 22:00:00 +0000

Type Values Removed Values Added
Description Hashgraph Guardian through 3.5.0, fixed in commit ba8c566, contains a stored cross-site scripting vulnerability that allows authenticated users with the STANDARD_REGISTRY role to inject malicious scripts by submitting a crafted companyName value via the branding configuration API endpoint. Attackers can exploit the unsanitized innerHTML assignment in the branding service to execute arbitrary JavaScript in the browser of every authenticated user on every page load.
Title Hashgraph Guardian Stored XSS via branding companyName field
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 4.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N'}

cvssV4_0

{'score': 4.8, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N'}

Subscriptions

Hashgraph Guardian
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-06-18T21:08:05.431Z

Reserved: 2026-01-08T19:04:26.365Z

Link: CVE-2026-22674

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-19T00:00:06Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')