Description
A security flaw has been discovered in LockerProject Locker 0.0.0/0.0.1/0.1.0. Affected is the function authIsAwesome of the file source-code/Locker-master/Ops/registry.js of the component Error Response Handler. The manipulation of the argument ID results in cross site scripting. The attack can be launched remotely. The exploit has been released to the public and may be used for attacks. The project was informed of the problem early through an issue report but has not responded yet.
Published: 2026-03-11
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Cross-Site Scripting
Action: Apply Patch
AI Analysis

Impact

The vulnerability occurs in the LockerProject Locker 0.0.0/0.0.1/0.1.0 component. By manipulating the ID argument passed to the authIsAwesome function in source-code/Locker-master/Ops/registry.js, an attacker can inject arbitrary scripts that are executed in the victim’s browser. This constitutes a classic Cross‑Site Scripting (CWE‑79) flaw. One malicious script could persist across pages, steal session cookies, or perform client‑side phishing. The flaw is a client–side code injection that can be exploited remotely without authentication.

Affected Systems

Affects LockerProject Locker in all reported releases: 0.0.0, 0.0.1, and 0.1.0 as identified by the vendor. No other versions have been confirmed to be unaffected in the supplied data.

Risk and Exploitability

The CVSS base score is 5.3, indicating moderate severity. The EPSS score is below 1 %, suggesting a low probability of exploitation at this time. The vulnerability is not listed in the CISA KEV catalog, indicating no confirmed exploitation cases to date. The attack can be performed remotely by sending a crafted request that forces the server to include attacker‑controlled content in its error response. Exploit code is publicly available in the source repository, so an attacker who can deliver the crafted request (e.g., via a site that calls Locker’s APIs) can trigger the XSS immediately.

Generated by OpenCVE AI on March 17, 2026 at 16:27 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Check for and install the latest LockerProject Locker release when available (the existing public bug report indicates no fix yet).
  • If an update is not yet available, implement client‑side protections such as Content Security Policy to restrict script execution.
  • Ensure that all inputs to registry.js, especially the ID argument, are properly encoded or validated so that no unescaped markup reaches the browser.
  • Perform security testing on the application to confirm that the XSS vector has been neutralized.

Generated by OpenCVE AI on March 17, 2026 at 16:27 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 12 Mar 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 12 Mar 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Lockerproject
Lockerproject locker
Vendors & Products Lockerproject
Lockerproject locker

Wed, 11 Mar 2026 19:45:00 +0000

Type Values Removed Values Added
Description A security flaw has been discovered in LockerProject Locker 0.0.0/0.0.1/0.1.0. Affected is the function authIsAwesome of the file source-code/Locker-master/Ops/registry.js of the component Error Response Handler. The manipulation of the argument ID results in cross site scripting. The attack can be launched remotely. The exploit has been released to the public and may be used for attacks. The project was informed of the problem early through an issue report but has not responded yet.
Title LockerProject Locker Error Response registry.js authIsAwesome cross site scripting
Weaknesses CWE-79
CWE-94
References
Metrics cvssV2_0

{'score': 5, 'vector': 'AV:N/AC:L/Au:N/C:N/I:P/A:N/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 4.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Lockerproject Locker
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-03-12T19:58:03.250Z

Reserved: 2026-03-11T12:09:22.394Z

Link: CVE-2026-3951

cve-icon Vulnrichment

Updated: 2026-03-12T19:57:56.852Z

cve-icon NVD

Status : Deferred

Published: 2026-03-11T20:16:23.253

Modified: 2026-04-22T21:30:26.497

Link: CVE-2026-3951

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-20T15:29:14Z

Weaknesses