Description
Jexactyl is a customisable game management panel and billing system. Commits after 025e8dbb0daaa04054276bda814d922cf4af58da and before e28edb204e80efab628d1241198ea4f079779cfd inject server-side objects into client-side JavaScript through resources/views/templates/wrapper.blade.php. Using unescaped {!! json_encode(...) !!} without safe encoding flags allows string values to break out of the JavaScript context and be interpreted as HTML/JS by the browser. If any serialized fields contain attacker-controlled content, such as a username, display name, or site config value, a malicious payload will execute arbitrary script for any user viewing the page (stored DOM XSS). This issue has been patched by commit e28edb204e80efab628d1241198ea4f079779cfd.
Published: 2026-03-20
Score: 5.8 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Stored DOM XSS
Action: Immediate Patch
AI Analysis

Impact

The vulnerability in Jexactyl allows arbitrary script execution through a stored DOM cross‑site scripting flaw. Server‑side JSON objects are injected directly into a Blade template using an unescaped JSON helper, causing user‑controlled string values to break out of the JavaScript context. When a page containing the affected template is rendered, the embedded script runs in the victim’s browser, providing an attacker with full control over that session and the ability to manipulate or exfiltrate data. This weakness is consistent with CWE‑79, which covers cross‑site scripting flaws.

Affected Systems

Jexactyl installations, particularly versions 4.0.0. For the 4.0.0 series, all beta releases (4.0.0 beta1 through beta7) and release candidates (4.0.0 rc1 and rc2) are affected. Any prior release of Jexactyl that includes the vulnerable template code prior to commit e28edb204e80efab628d1241198ea4f079779cfd is also impacted. The issue was fixed in the referenced commit and therefore any version newer than that commit is considered safe.

Risk and Exploitability

The CVSS score of 5.8 indicates moderate theoretical severity, while an EPSS score of less than 1% suggests a low current exploitation likelihood. The vulnerability is not listed in CISA’s Known Exploited Vulnerabilities catalog, further supporting low public exploit activity. The attack vector, inferred from the description, is client‑side browser execution triggered by normal loading of a Jexactyl page. An attacker must first supply malicious content into a server‑side field that is later JSON‑encoded, such as a username, display name, or site configuration value. Once the vulnerable page is viewed by any authenticated or unauthenticated user, the malicious script will execute in that user’s browser context.

Generated by OpenCVE AI on April 14, 2026 at 21:10 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the patch from commit e28edb204e80efab628d1241198ea4f079779cfd or upgrade to Jexactyl 4.0.0 rc2 or newer.
  • If an immediate upgrade is not possible, modify the wrapper.blade.php template to safely encode JSON data, for example by using json_encode with appropriate escape flags or by rendering the JSON as a string literal.
  • Verify that all user‑controlled values are no longer rendered raw in client‑side JavaScript and test the page to confirm the vulnerability is remediated.

Generated by OpenCVE AI on April 14, 2026 at 21:10 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 14 Apr 2026 18:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:jexactyl:jexactyl:*:*:*:*:*:*:*:*
cpe:2.3:a:jexactyl:jexactyl:4.0.0:beta1:*:*:*:*:*:*
cpe:2.3:a:jexactyl:jexactyl:4.0.0:beta2:*:*:*:*:*:*
cpe:2.3:a:jexactyl:jexactyl:4.0.0:beta3:*:*:*:*:*:*
cpe:2.3:a:jexactyl:jexactyl:4.0.0:beta4:*:*:*:*:*:*
cpe:2.3:a:jexactyl:jexactyl:4.0.0:beta5:*:*:*:*:*:*
cpe:2.3:a:jexactyl:jexactyl:4.0.0:beta6:*:*:*:*:*:*
cpe:2.3:a:jexactyl:jexactyl:4.0.0:beta7:*:*:*:*:*:*
cpe:2.3:a:jexactyl:jexactyl:4.0.0:rc1:*:*:*:*:*:*
cpe:2.3:a:jexactyl:jexactyl:4.0.0:rc2:*:*:*:*:*:*

Mon, 30 Mar 2026 13:00:00 +0000

Type Values Removed Values Added
Description exactyl is a customisable game management panel and billing system. Commits after 025e8dbb0daaa04054276bda814d922cf4af58da and before e28edb204e80efab628d1241198ea4f079779cfd inject server-side objects into client-side JavaScript through resources/views/templates/wrapper.blade.php. Using unescaped {!! json_encode(...) !!} without safe encoding flags allows string values to break out of the JavaScript context and be interpreted as HTML/JS by the browser. If any serialized fields contain attacker-controlled content, such as a username, display name, or site config value, a malicious payload will execute arbitrary script for any user viewing the page (stored DOM XSS). This issue has been patched by commit e28edb204e80efab628d1241198ea4f079779cfd. Jexactyl is a customisable game management panel and billing system. Commits after 025e8dbb0daaa04054276bda814d922cf4af58da and before e28edb204e80efab628d1241198ea4f079779cfd inject server-side objects into client-side JavaScript through resources/views/templates/wrapper.blade.php. Using unescaped {!! json_encode(...) !!} without safe encoding flags allows string values to break out of the JavaScript context and be interpreted as HTML/JS by the browser. If any serialized fields contain attacker-controlled content, such as a username, display name, or site config value, a malicious payload will execute arbitrary script for any user viewing the page (stored DOM XSS). This issue has been patched by commit e28edb204e80efab628d1241198ea4f079779cfd.
Title exactyl has Stored DOM Cross-Site Scripting (XSS) via unescaped JSON in Blade template Jexactyl has Stored DOM Cross-Site Scripting (XSS) via unescaped JSON in Blade template

Fri, 20 Mar 2026 16:30:00 +0000

Type Values Removed Values Added
First Time appeared Jexactyl
Jexactyl jexactyl
Vendors & Products Jexactyl
Jexactyl jexactyl

Fri, 20 Mar 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 20 Mar 2026 08:00:00 +0000

Type Values Removed Values Added
Description exactyl is a customisable game management panel and billing system. Commits after 025e8dbb0daaa04054276bda814d922cf4af58da and before e28edb204e80efab628d1241198ea4f079779cfd inject server-side objects into client-side JavaScript through resources/views/templates/wrapper.blade.php. Using unescaped {!! json_encode(...) !!} without safe encoding flags allows string values to break out of the JavaScript context and be interpreted as HTML/JS by the browser. If any serialized fields contain attacker-controlled content, such as a username, display name, or site config value, a malicious payload will execute arbitrary script for any user viewing the page (stored DOM XSS). This issue has been patched by commit e28edb204e80efab628d1241198ea4f079779cfd.
Title exactyl has Stored DOM Cross-Site Scripting (XSS) via unescaped JSON in Blade template
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 5.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:N'}

Subscriptions

Jexactyl Jexactyl
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-30T12:39:35.052Z

Reserved: 2026-03-17T19:27:06.342Z

Link: CVE-2026-33061

cve-icon Vulnrichment

Updated: 2026-03-20T13:49:21.671Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-20T08:16:12.090

Modified: 2026-04-14T17:56:38.773

Link: CVE-2026-33061

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-15T16:45:09Z

Weaknesses