Description
Northern.tech CFEngine Enterprise before 3.21.8, 3.24.3, and 3.27.0 allows XSS.
Published: 2026-05-14
Score: 6.1 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability allows an attacker to inject and execute arbitrary JavaScript within the context of the CFEngine Enterprise web interface. This cross‑site scripting flaw (CWE‑79) could enable modification of displayed content or capture information stored in the browser, but the CVE description does not specify particular exploitation outcomes such as credential theft or session hijack.

Affected Systems

Northern.tech CFEngine Enterprise releases prior to 3.21.8, 3.24.3, and 3.27.0 are affected. The flaw resides in the web UI component of these versions.

Risk and Exploitability

The CVSS score of 6.1 indicates moderate severity. The EPSS score is not available, and the flaw is not listed in the CISA KEV catalog. The likely attack vector is through the web interface where malicious input may be entered and subsequently rendered without proper sanitization; exploitation requires an authenticated user to interact with the interface from a browser, which reduces the overall threat level compared to remote code execution but still poses a significant risk to users of the affected UI.

Generated by OpenCVE AI on May 14, 2026 at 18:32 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade CFEngine Enterprise to version 3.21.8, 3.24.3, or 3.27.0 or later.
  • If an upgrade cannot be performed immediately, restrict web UI access to trusted administrators and enforce least‑privilege controls.
  • Deploy a web application firewall or similar input filtering to block suspicious JavaScript payloads reaching the interface.
  • Implement proper input validation and output encoding on user‑supplied fields to mitigate future XSS attempts.

Generated by OpenCVE AI on May 14, 2026 at 18:32 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 14 May 2026 19:00:00 +0000

Type Values Removed Values Added
Title Cross‑Site Scripting in Northern.tech CFEngine Enterprise Web Interface

Thu, 14 May 2026 16:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 14 May 2026 15:45:00 +0000

Type Values Removed Values Added
Title Cross‑Site Scripting in Northern.tech CFEngine Enterprise Web Interface
Weaknesses CWE-79

Thu, 14 May 2026 14:30:00 +0000

Type Values Removed Values Added
Description Northern.tech CFEngine Enterprise before 3.21.8, 3.24.3, and 3.27.0 allows XSS.
References

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-05-14T15:25:41.560Z

Reserved: 2026-01-24T00:00:00.000Z

Link: CVE-2026-24710

cve-icon Vulnrichment

Updated: 2026-05-14T15:25:36.342Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-05-14T15:16:44.710

Modified: 2026-05-14T17:06:08.693

Link: CVE-2026-24710

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-14T18:45:26Z

Weaknesses