Description
Stored XSS in log viewer in CoolerControl/coolercontrol-ui <4.0.0 allows unauthenticated attackers to take over the service via malicious JavaScript in poisoned log entries
Published: 2026-04-08
Score: 7.6 High
EPSS: < 1% Very Low
KEV: No
Impact: Stored XSS allowing unauthenticated code execution and potential service takeover
Action: Immediate Patch
AI Analysis

Impact

This vulnerability is an improper neutralization of input during web page generation in CoolerControl’s coolercontrol-ui log viewer. Unauthenticated users can inject malicious JavaScript into log entries, which the interface renders without sufficient sanitization. The injected code runs within the context of service users, enabling session hijack, data exfiltration, or even full service takeover, thereby compromising confidentiality, integrity, and availability.

Affected Systems

The CoolerControl coolercontrol-ui component is affected in all releases older than version 4.0.0. Administrators should verify that their installation’s version is below 4.0.0 and plan an upgrade accordingly.

Risk and Exploitability

With a CVSS score of 7.6, this issue is high severity. Attackers require no authentication and can simply navigate to the log viewer to deliver the payload, as the description explicitly states. EPSS data is not available, and the vulnerability is not listed in CISA’s KEV catalog, but the ease of exploitation and the serious impact keep the risk significant for exposed deployments.

Generated by OpenCVE AI on April 8, 2026 at 13:50 UTC.

Remediation

Vendor Solution

Upgrade to version 4.0.0

OpenCVE Recommended Actions

  • Upgrade CoolerControl UI to version 4.0.0

Generated by OpenCVE AI on April 8, 2026 at 13:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 16 Apr 2026 01:00:00 +0000

Type Values Removed Values Added
First Time appeared Coolercontrol coolercontrold
CPEs cpe:2.3:a:coolercontrol:coolercontrold:*:*:*:*:*:*:*:*
Vendors & Products Coolercontrol coolercontrold

Thu, 09 Apr 2026 08:30:00 +0000

Type Values Removed Values Added
First Time appeared Coolercontrol
Coolercontrol coolercontrol-ui
Vendors & Products Coolercontrol
Coolercontrol coolercontrol-ui

Wed, 08 Apr 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 08 Apr 2026 12:45:00 +0000

Type Values Removed Values Added
Description Stored XSS in log viewer in CoolerControl/coolercontrol-ui <4.0.0 allows unauthenticated attackers to take over the service via malicious JavaScript in poisoned log entries
Title Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in coolercontrol-ui
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 7.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:L'}

Subscriptions

Coolercontrol Coolercontrol-ui Coolercontrold
cve-icon MITRE

Status: PUBLISHED

Assigner: GitLab

Published:

Updated: 2026-04-08T16:02:36.804Z

Reserved: 2026-04-01T05:33:22.052Z

Link: CVE-2026-5301

cve-icon Vulnrichment

Updated: 2026-04-08T16:02:33.900Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-08T13:16:43.260

Modified: 2026-04-16T00:47:16.257

Link: CVE-2026-5301

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-09T08:21:53Z

Weaknesses