Description
Fides is an open-source privacy engineering platform. From version 2.33.0 to before version 2.84.5, there is a DOM-based XSS vulnerability in fides.js via the fides_description override. This issue has been patched in version 2.84.5.
Published: 2026-06-08
Score: 7 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is DOM‑based XSS originating from the fides_description override in fides.js. An attacker who can influence the fides_description field can inject arbitrary script payloads which will be executed in the victim's browser context. This allows the attacker to hijack user sessions, deface the site, or exfiltrate sensitive data. The flaw corresponds to CWE‑79.

Affected Systems

The issue affects the open‑source privacy engineering platform Fides as distributed by the vendor ethyca. Versions from 2.33.0 up to but not including 2.84.5 are vulnerable. All installations that use the publicly exposed fides_description override in fides.js are at risk.

Risk and Exploitability

The CVSS score is 7 indicating a moderate‑to‑high severity. The EPSS score is not available, and the vulnerability is not listed in the CISA KEV catalog. While the precise likelihood of exploitation is unknown, the attack vector is likely web‑based; any party able to set the fides_description value on a vulnerable instance could trigger the XSS. No additional conditions are required beyond the ability to influence that field.

Generated by OpenCVE AI on June 8, 2026 at 21:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Fides to version 2.84.5 or later where the vulnerability is fixed.
  • If an immediate upgrade is not feasible, restrict or disable the fides_description override to trusted administrators only, preventing untrusted input from setting the field.
  • Implement client‑side validation or sanitization for all data inserted into fides_description to eliminate the risk of injected script execution.

Generated by OpenCVE AI on June 8, 2026 at 21:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-5qrq-9645-g5g2 ethyca-fides has a DOM-based XSS vulnerability in fides.js via fides_description override
History

Mon, 08 Jun 2026 21:45:00 +0000

Type Values Removed Values Added
First Time appeared Ethyca
Ethyca fides
Vendors & Products Ethyca
Ethyca fides

Mon, 08 Jun 2026 20:45:00 +0000

Type Values Removed Values Added
Description Fides is an open-source privacy engineering platform. From version 2.33.0 to before version 2.84.5, there is a DOM-based XSS vulnerability in fides.js via the fides_description override. This issue has been patched in version 2.84.5.
Title Fides: DOM-based XSS vulnerability in fides.js via fides_description override
Weaknesses CWE-79
References
Metrics cvssV4_0

{'score': 7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N'}

Subscriptions

Ethyca Fides
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-08T20:01:54.675Z

Reserved: 2026-05-06T19:38:10.567Z

Link: CVE-2026-44541

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-06-08T21:16:45.673

Modified: 2026-06-08T21:16:45.673

Link: CVE-2026-44541

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-08T21:30:06Z

Weaknesses