Description
Open OnDemand is an open-source high-performance computing portal. Prior to 4.0.11, 4.1.5, and 4.2.2, specially crafted filenames can execute javascript in the file browser This vulnerability is fixed in 4.0.11, 4.1.5, and 4.2.2.
Published: 2026-05-14
Score: 5.3 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Open OnDemand portals before versions 4.0.11, 4.1.5, and 4.2.2 allow specially crafted filenames to run JavaScript in the file browser. This injection flaw can give an attacker the ability to execute arbitrary scripts within the context of a logged‐in user. The consequence is code execution that can lead to credential theft, session hijacking, or further propagation if the user has elevated privileges. The weakness is a classic reflected or stored XSS (CWE‑79).

Affected Systems

This vulnerability affects the OSC:ondemand product, specifically all releases prior to 4.0.11, 4.1.5, and 4.2.2. Operators running those earlier versions are at risk, while newer releases contain the fix.

Risk and Exploitability

With a CVSS score of 5.3, the risk is moderate. No EPSS score is available and the flaw is not listed in CISA’s KEV catalog, suggesting limited current exploitation activity. The attack vector is inferred to be web‑based; a user who can interact with the file browser component, for example an authenticated web session, can supply a malicious filename to trigger the vulnerability.

Generated by OpenCVE AI on May 14, 2026 at 16:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Open OnDemand installation to version 4.0.11 or later, 4.1.5 or later, or 4.2.2 or later where the issue is fixed
  • Apply any vendor patches or updates that address the XSS flaw as soon as possible
  • Configure the application to validate and sanitize all file names, stripping or encoding characters that could be interpreted as script code
  • Implement a Content‑Security Policy that restricts executable scripts to trusted sources, reducing the impact if an injection occurs

Generated by OpenCVE AI on May 14, 2026 at 16:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 14 May 2026 16:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 14 May 2026 15:15:00 +0000

Type Values Removed Values Added
Description Open OnDemand is an open-source high-performance computing portal. Prior to 4.0.11, 4.1.5, and 4.2.2, specially crafted filenames can execute javascript in the file browser This vulnerability is fixed in 4.0.11, 4.1.5, and 4.2.2.
Title Open OnDemand: Specially crafted filenames can execute javascript in the file browser
Weaknesses CWE-79
References
Metrics cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-14T15:37:14.075Z

Reserved: 2026-05-05T20:15:20.631Z

Link: CVE-2026-44371

cve-icon Vulnrichment

Updated: 2026-05-14T15:37:10.843Z

cve-icon NVD

Status : Deferred

Published: 2026-05-14T15:16:48.117

Modified: 2026-05-14T18:19:25.260

Link: CVE-2026-44371

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-14T16:30:24Z

Weaknesses