Description
ipl/web is a set of common web components for php projects. Prior to versions 0.13.1 and 0.10.3, the vulnerability allows an attacker to inject malicious Javascript into a victim's browser to run it in the context of Icinga Web. The victim needs to visit a specifically prepared website and may have no immediate chance to notice any wrongdoing. This issue has been patched in versions 0.13.1 and 0.10.3.
Published: 2026-05-08
Score: 7.6 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability allows an attacker to inject malicious JavaScript into a victim’s browser by exploiting malformed search requests, enabling execution in the context of Icinga Web. The injected code runs with the privileges of the affected web application. A victim needs to visit a specifically prepared website, and the wrongdoing may go unnoticed.

Affected Systems

Icinga projects using the ipl-web component version 0.10.2 or earlier, and any 0.13.0 or earlier releases, are affected. The vulnerability is patched in release 0.10.3 and any subsequent releases, as well as in 0.13.1 and later. Deployments running a newer version than those mentioned are not affected.

Risk and Exploitability

The CVSS score of 7.6 classifies the issue as high severity. The EPSS score is < 1%, indicating a very low chance of exploitation, and the vulnerability is not listed in CISA’s KEV catalog. Attackers can trigger the flaw by sending a crafted HTTP request from a malicious web page to the vulnerable search endpoint, causing the victim’s browser to execute the injected script. The attack requires user interaction (visiting the malicious page) but no authentication.

Generated by OpenCVE AI on June 9, 2026 at 13:05 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Icinga ipl-web to at least version 0.10.3, 0.13.1, or any newer release
  • Enforce a Content Security Policy that blocks arbitrary JavaScript execution
  • Review Icinga configurations to ensure that legacy search API endpoints are not exposed and that search inputs are properly escaped

Generated by OpenCVE AI on June 9, 2026 at 13:05 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-55wf-5m3q-6jjf ipl/web is vulnerable to reflected XSS by malformed search requests
History

Tue, 09 Jun 2026 12:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 09 Jun 2026 11:15:00 +0000

Type Values Removed Values Added
Description ipl/web is a set of common web components for php projects. Prior to version 0.13.1, the vulnerability allows an attacker to inject malicious Javascript into a victim's browser to run it in the context of Icinga Web. The victim needs to visit a specifically prepared website and may have no immediate chance to notice any wrongdoing. This issue has been patched in version 0.13.1. ipl/web is a set of common web components for php projects. Prior to versions 0.13.1 and 0.10.3, the vulnerability allows an attacker to inject malicious Javascript into a victim's browser to run it in the context of Icinga Web. The victim needs to visit a specifically prepared website and may have no immediate chance to notice any wrongdoing. This issue has been patched in versions 0.13.1 and 0.10.3.
References

Sun, 10 May 2026 21:45:00 +0000

Type Values Removed Values Added
First Time appeared Icinga
Icinga ipl-web
Vendors & Products Icinga
Icinga ipl-web

Fri, 08 May 2026 22:30:00 +0000

Type Values Removed Values Added
Description ipl/web is a set of common web components for php projects. Prior to version 0.13.1, the vulnerability allows an attacker to inject malicious Javascript into a victim's browser to run it in the context of Icinga Web. The victim needs to visit a specifically prepared website and may have no immediate chance to notice any wrongdoing. This issue has been patched in version 0.13.1.
Title ipl/web is vulnerable to reflected XSS by malformed search requests
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 7.6, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:H/I:H/A:H'}

Subscriptions

Icinga Ipl-web
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-09T10:44:43.005Z

Reserved: 2026-04-25T05:37:12.116Z

Link: CVE-2026-42224

cve-icon Vulnrichment

Updated: 2026-05-11T15:58:27.777Z

cve-icon NVD

Status : Deferred

Published: 2026-05-08T23:16:35.990

Modified: 2026-06-17T10:47:32.283

Link: CVE-2026-42224

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-09T13:15:05Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')