Description
ipl/web is a set of common web components for php projects. Prior to version 0.13.1, the vulnerability allows an attacker to inject malicious Javascript into a victim's browser to run it in the context of Icinga Web. The victim needs to visit a specifically prepared website and may have no immediate chance to notice any wrongdoing. This issue has been patched in version 0.13.1.
Published: 2026-05-08
Score: 7.6 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability allows an attacker to inject and have the server reflect malicious JavaScript in a victim’s browser when a specially crafted search request is processed. This results in code that runs with the privileges of the affected web application, potentially allowing data theft, session hijacking or further network compromise.

Affected Systems

Icinga projects using the ipl-web component prior to version 0.13.1 are affected. The vulnerability applies to all deployments of Icinga ipl-web that have not been updated to v0.13.1 or later.

Risk and Exploitability

The CVSS score of 7.6 classifies the issue as high severity. No EPSS score is available, and the vulnerability has not been reported in CISA’s KEV catalog. Attackers can exploit the flaw by sending a crafted HTTP request to the search endpoint from a malicious web page that then causes the victim’s browser to execute the injected script. The attack requires that a user visits a page that triggers the vulnerable endpoint; no authentication is required.

Generated by OpenCVE AI on May 8, 2026 at 23:52 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Icinga ipl-web to version 0.13.1 or newer
  • Enforce a Content Security Policy that blocks arbitrary JavaScript execution
  • Review Icinga configurations to ensure that legacy search API endpoints are not exposed and that search inputs are properly escaped

Generated by OpenCVE AI on May 8, 2026 at 23:52 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-55wf-5m3q-6jjf ipl/web is vulnerable to reflected XSS by malformed search requests
History

Fri, 08 May 2026 22:30:00 +0000

Type Values Removed Values Added
Description ipl/web is a set of common web components for php projects. Prior to version 0.13.1, the vulnerability allows an attacker to inject malicious Javascript into a victim's browser to run it in the context of Icinga Web. The victim needs to visit a specifically prepared website and may have no immediate chance to notice any wrongdoing. This issue has been patched in version 0.13.1.
Title ipl/web is vulnerable to reflected XSS by malformed search requests
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 7.6, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:H/I:H/A:H'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-08T22:02:52.231Z

Reserved: 2026-04-25T05:37:12.116Z

Link: CVE-2026-42224

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-08T23:16:35.990

Modified: 2026-05-08T23:16:35.990

Link: CVE-2026-42224

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-09T00:00:25Z

Weaknesses