Impact
Remark42 contains a content‑type spoofing flaw that allows an attacker to trick the image proxy into fetching an arbitrary remote URL while treating a malicious payload as an image during download but delivering it as text/html during serving. This inconsistency gives an unauthenticated attacker the ability to inject and execute arbitrary HTML and JavaScript in the browser context of any visitor who accesses the crafted proxy URL, leading to script execution, session hijacking or defacement. The weakness falls under CWE‑79 (Cross‑Site Scripting) and CWE‑436 (Improper Validation of Remote Data).
Affected Systems
The vulnerability affects all deployments of the self‑hosted Comment Engine Remark42 by umputun running versions 1.6.0 through 1.15.0, regardless of the hosting environment, as long as the image proxy endpoint (/api/v1/img) is enabled. The issue is present in any environment where Remark42 is exposed to the internet and the proxy fetches external resources.
Risk and Exploitability
The CVSS base score is 8.2, categorising it as High severity. The EPSS score is below 1%, indicating a low but non‑zero probability of exploitation. Remark42 is not listed in CISA KEV, but the vulnerability requires no authentication and can be triggered via any means of delivering the proxy link to a victim (e.g., email, chat, or a link on another website). Once delivered, the attacker’s JavaScript executes in the victim’s browser with the same origin as Remark42, potentially compromising user data and session integrity.
OpenCVE Enrichment
Github GHSA