Description
A vulnerability was detected in openstatusHQ openstatus up to 1b678e71a85961ae319cbb214a8eae634059330c. This impacts an unknown function of the file apps/dashboard/src/app/(dashboard)/onboarding/client.tsx of the component Onboarding Endpoint. The manipulation of the argument callbackURL results in cross site scripting. The attack may be launched remotely. This product operates on a rolling release basis, ensuring continuous delivery. Consequently, there are no version details for either affected or updated releases. The patch is identified as 43d9b2b9ef8ae1a98f9bdc8a9f86d6a3dfaa2dfb. It is advisable to implement a patch to correct this issue. The vendor was contacted early, responded in a very professional manner and quickly released a fixed version of the affected product.
Published: 2026-04-08
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Cross Site Scripting
Action: Apply Patch
AI Analysis

Impact

The vulnerability allows an attacker to inject malicious script content via the callbackURL parameter in the Onboarding Endpoint component. This leads to a reflected cross‑site scripting condition, enabling an attacker to run arbitrary JavaScript in the victim's browser. The effect could compromise session data or perform phishing attacks, as the script runs with the privileges of the current user. The issue is identified as a classic reflected XSS (CWE‑79) and also involves unsanitized code injection (CWE‑94).

Affected Systems

The affected product is openstatusHQ openstatus, all releases prior to the patched commit 43d9b2b9ef8ae1a98f9bdc8a9f86d6a3dfaa2dfb are vulnerable. Because the project follows a rolling‑release model, a specific version list is not provided; any instance running the code before that commit may be susceptible. The vulnerability resides in the client.tsx file of the onboarding endpoint, an unknown function within the dashboard sub‑module.

Risk and Exploitability

The CVSS score of 5.3 indicates moderate severity. EPSS data is not available, and the vulnerability is not listed in the CISA KEV catalog. Attackers can exploit the flaw remotely by tailoring the callbackURL argument, likely via a crafted URL or form submission. Mitigation requires applying the vendor patch or removing the vulnerable code path.

Generated by OpenCVE AI on April 8, 2026 at 22:25 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the vendor patch corresponding to commit 43d9b2b9ef8ae1a98f9bdc8a9f86d6a3dfaa2dfb or upgrade to a release that includes this fix.
  • If an immediate patch is unavailable, sanitise the callbackURL parameter on the client side and ensure it is rendered safely, escaping any script tags.
  • Monitor application logs for suspicious script execution attempts and review user session activity for signs of compromise.
  • Verify that no other components expose the callbackURL or similar unsanitized user‑controlled input.

Generated by OpenCVE AI on April 8, 2026 at 22:25 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 09 Apr 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 09 Apr 2026 08:30:00 +0000

Type Values Removed Values Added
First Time appeared Openstatushq
Openstatushq openstatus
Vendors & Products Openstatushq
Openstatushq openstatus

Wed, 08 Apr 2026 21:45:00 +0000

Type Values Removed Values Added
Description A vulnerability was detected in openstatusHQ openstatus up to 1b678e71a85961ae319cbb214a8eae634059330c. This impacts an unknown function of the file apps/dashboard/src/app/(dashboard)/onboarding/client.tsx of the component Onboarding Endpoint. The manipulation of the argument callbackURL results in cross site scripting. The attack may be launched remotely. This product operates on a rolling release basis, ensuring continuous delivery. Consequently, there are no version details for either affected or updated releases. The patch is identified as 43d9b2b9ef8ae1a98f9bdc8a9f86d6a3dfaa2dfb. It is advisable to implement a patch to correct this issue. The vendor was contacted early, responded in a very professional manner and quickly released a fixed version of the affected product.
Title openstatusHQ openstatus Onboarding Endpoint client.tsx cross site scripting
Weaknesses CWE-79
CWE-94
References
Metrics cvssV2_0

{'score': 5, 'vector': 'AV:N/AC:L/Au:N/C:N/I:P/A:N/E:ND/RL:OF/RC:C'}

cvssV3_0

{'score': 4.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N/E:X/RL:O/RC:C'}

cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N/E:X/RL:O/RC:C'}

cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X'}

Subscriptions

Openstatushq Openstatus
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-04-09T14:55:24.274Z

Reserved: 2026-04-08T14:56:12.185Z

Link: CVE-2026-5808

cve-icon Vulnrichment

Updated: 2026-04-09T14:55:08.443Z

cve-icon NVD

Status : Deferred

Published: 2026-04-08T22:16:24.867

Modified: 2026-04-24T18:04:28.070

Link: CVE-2026-5808

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-09T08:25:59Z

Weaknesses