Description
Remark42 is a self-hosted comment engine for blogs, articles, or any other place where readers can add comments. Versions 1.6.0 through 1.15.0 contain a Cross-Site Scripting (XSS) vulnerability exploitable through content-type spoofing. The Remark42 image proxy fetches an arbitrary remote URL and re-serves the response from Remark42's own origin. During the download phase, the proxy determines whether the resource is an image by inspecting only the Content-Type header advertised by the remote server, never examining the actual bytes; during the serving phase, it instead derives the response Content-Type by sniffing those bytes with http.DetectContentType. An attacker can exploit this inconsistency by hosting a URL that advertises Content-Type: image/png while returning an HTML/JavaScript body: the download check accepts it as an image, the serving path sniffs the body and emits Content-Type: text/html, and the browser renders the attacker-controlled HTML/JavaScript as a document within Remark42's origin. Exploitation requires no Remark42 account on the target instance; the attacker only needs to host the malicious upstream URL and deliver the proxy link to a victim by any means, such as email, direct message, or a link on another website. This issue has been fixed in version 1.16.0.
Published: 2026-06-16
Score: 8.2 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Remark42 contains a content‑type spoofing flaw that allows an attacker to trick the image proxy into fetching an arbitrary remote URL while treating a malicious payload as an image during download but delivering it as text/html during serving. This inconsistency gives an unauthenticated attacker the ability to inject and execute arbitrary HTML and JavaScript in the browser context of any visitor who accesses the crafted proxy URL, leading to script execution, session hijacking or defacement. The weakness falls under CWE‑79 (Cross‑Site Scripting) and CWE‑436 (Improper Validation of Remote Data).

Affected Systems

The vulnerability affects all deployments of the self‑hosted Comment Engine Remark42 by umputun running versions 1.6.0 through 1.15.0, regardless of the hosting environment, as long as the image proxy endpoint (/api/v1/img) is enabled. The issue is present in any environment where Remark42 is exposed to the internet and the proxy fetches external resources.

Risk and Exploitability

The CVSS base score is 8.2, categorising it as High severity. The EPSS score is below 1%, indicating a low but non‑zero probability of exploitation. Remark42 is not listed in CISA KEV, but the vulnerability requires no authentication and can be triggered via any means of delivering the proxy link to a victim (e.g., email, chat, or a link on another website). Once delivered, the attacker’s JavaScript executes in the victim’s browser with the same origin as Remark42, potentially compromising user data and session integrity.

Generated by OpenCVE AI on June 17, 2026 at 19:29 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Remark42 to version 1.16.0 or later, which includes the fixed image proxy logic.
  • If an immediate upgrade is not possible, disable or restrict the image‑proxy endpoint (/api/v1/img) so that Remark42 does not fetch external resources from untrusted origins.
  • Modify the proxy settings to validate the actual image bytes against the declared content‑type before acceptance, or implement stricter content‑type sniffing to prevent spoofing.

Generated by OpenCVE AI on June 17, 2026 at 19:29 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-4c8j-mgm4-qqvp Remark42: Cross-Site Scripting (XSS) on /api/v1/img via content-type spoofing
History

Sun, 21 Jun 2026 09:45:00 +0000

Type Values Removed Values Added
First Time appeared Umputun
Umputun remark42
Vendors & Products Umputun
Umputun remark42

Thu, 18 Jun 2026 04:45:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Tue, 16 Jun 2026 23:15:00 +0000

Type Values Removed Values Added
Description Remark42 is a self-hosted comment engine for blogs, articles, or any other place where readers can add comments. Versions 1.6.0 through 1.15.0 contain a Cross-Site Scripting (XSS) vulnerability exploitable through content-type spoofing. The Remark42 image proxy fetches an arbitrary remote URL and re-serves the response from Remark42's own origin. During the download phase, the proxy determines whether the resource is an image by inspecting only the Content-Type header advertised by the remote server, never examining the actual bytes; during the serving phase, it instead derives the response Content-Type by sniffing those bytes with http.DetectContentType. An attacker can exploit this inconsistency by hosting a URL that advertises Content-Type: image/png while returning an HTML/JavaScript body: the download check accepts it as an image, the serving path sniffs the body and emits Content-Type: text/html, and the browser renders the attacker-controlled HTML/JavaScript as a document within Remark42's origin. Exploitation requires no Remark42 account on the target instance; the attacker only needs to host the malicious upstream URL and deliver the proxy link to a victim by any means, such as email, direct message, or a link on another website. This issue has been fixed in version 1.16.0.
Title Remark42: Cross-Site Scripting (XSS) on /api/v1/img via content-type spoofing
Weaknesses CWE-436
CWE-79
References
Metrics cvssV3_0

{'score': 8.2, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N'}


Subscriptions

Umputun Remark42
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-17T13:20:11.543Z

Reserved: 2026-05-22T20:18:20.365Z

Link: CVE-2026-48788

cve-icon Vulnrichment

Updated: 2026-06-17T13:19:23.500Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-20T23:05:14Z

Weaknesses
  • CWE-436

    Interpretation Conflict

  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')