Description
Hashgraph Guardian through 3.6.0, fixed in commit ba8c566, contains a stored cross-site scripting vulnerability that allows authenticated users with the STANDARD_REGISTRY role to inject malicious scripts by submitting a crafted companyName value via the branding configuration API endpoint. Attackers can exploit the unsanitized innerHTML assignment in the branding service to execute arbitrary JavaScript in the browser of every authenticated user on every page load.
Published: 2026-06-18
Score: 4.8 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Hashgraph Guardian versions up to and including 3.6.0 contain a stored cross‑site scripting flaw that enables any authenticated user holding the STANDARD_REGISTRY role to submit specially crafted data in the companyName field of the branding configuration API. The malicious value is stored and later injected into the web interface through an unsanitized innerHTML assignment by the branding service, causing arbitrary JavaScript to execute whenever an authenticated user loads any page of the application. The flaw primarily undermines the confidentiality and integrity of the client‑side session, potentially allowing an attacker to capture user input or modify page content while the victim is logged in. Based on the description, such exploitation could facilitate credential theft or other malicious client‑side actions, but these consequences are inferred rather than explicitly confirmed in the advisory.

Affected Systems

Hashgraph Guardian up to the release that incorporates commit ba8c566 is affected. Any deployment still running the default 3.6.0 or earlier release is vulnerable; all subsequent releases that include the referenced commit are considered fixed.

Risk and Exploitability

With a CVSS score of 4.8, the flaw is classified as medium severity. EPSS data is not provided, and the vulnerability is not listed in the CISA KEV catalog, indicating no widespread exploitation has been reported. The attack requires an authenticated session with STANDARD_REGISTRY privileges to submit the malicious companyName, and it does not affect unauthenticated users or alter server‑side state. The risk is therefore limited to individuals with the necessary role who can use the API to inject data that will be rendered in other users’ browsers.

Generated by OpenCVE AI on June 23, 2026 at 13:52 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to the latest Hashgraph Guardian release that includes commit ba8c566 or later.
  • If an immediate upgrade is not possible, modify the branding service so that the companyName string is either escaped or assigned via textContent instead of innerHTML before rendering.
  • Restrict or revoke the STANDARD_REGISTRY role for users who do not require editing of branding settings, or audit and monitor the role’s usage to detect suspicious changes.

Generated by OpenCVE AI on June 23, 2026 at 13:52 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 23 Jun 2026 12:45:00 +0000

Type Values Removed Values Added
Description Hashgraph Guardian through 3.5.0, fixed in commit ba8c566, contains a stored cross-site scripting vulnerability that allows authenticated users with the STANDARD_REGISTRY role to inject malicious scripts by submitting a crafted companyName value via the branding configuration API endpoint. Attackers can exploit the unsanitized innerHTML assignment in the branding service to execute arbitrary JavaScript in the browser of every authenticated user on every page load. Hashgraph Guardian through 3.6.0, fixed in commit ba8c566, contains a stored cross-site scripting vulnerability that allows authenticated users with the STANDARD_REGISTRY role to inject malicious scripts by submitting a crafted companyName value via the branding configuration API endpoint. Attackers can exploit the unsanitized innerHTML assignment in the branding service to execute arbitrary JavaScript in the browser of every authenticated user on every page load.

Mon, 22 Jun 2026 15:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Fri, 19 Jun 2026 00:15:00 +0000

Type Values Removed Values Added
First Time appeared Hashgraph
Hashgraph guardian
Vendors & Products Hashgraph
Hashgraph guardian

Thu, 18 Jun 2026 22:00:00 +0000

Type Values Removed Values Added
Description Hashgraph Guardian through 3.5.0, fixed in commit ba8c566, contains a stored cross-site scripting vulnerability that allows authenticated users with the STANDARD_REGISTRY role to inject malicious scripts by submitting a crafted companyName value via the branding configuration API endpoint. Attackers can exploit the unsanitized innerHTML assignment in the branding service to execute arbitrary JavaScript in the browser of every authenticated user on every page load.
Title Hashgraph Guardian Stored XSS via branding companyName field
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 4.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N'}

cvssV4_0

{'score': 4.8, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N'}


Subscriptions

Hashgraph Guardian
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-06-23T11:39:41.429Z

Reserved: 2026-01-08T19:04:26.365Z

Link: CVE-2026-22674

cve-icon Vulnrichment

Updated: 2026-06-22T14:42:32.861Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-23T14:00:04Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')