Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from Vendor (juniper) · only source for this CVE.
CVSS VectorVendor: juniper
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
4DescriptionCVE.org
An Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Juniper Networks Junos Space allows an attacker to inject script tags in the
list filter field that, when visited by another user, enables the attacker to execute commands with the target's permissions, including an administrator.
This issue affects all versions of Junos Space before 24.1R5 Patch V3.
AnalysisAI
Stored cross-site scripting (XSS) in Juniper Networks Junos Space allows unauthenticated remote attackers to inject malicious script tags into the list filter field, which execute with the permissions of any user who views the affected page, including administrators. All versions before 24.1R5 Patch V3 are vulnerable. No public exploit code or active exploitation has been identified at time of analysis.
Technical ContextAI
Junos Space is a network management platform developed by Juniper Networks. The vulnerability exists in improper input sanitization (CWE-79: Improper Neutralization of Input During Web Page Generation) affecting the list filter field, a web interface component. The vulnerability allows attackers to inject unescaped HTML script tags that persist in the application and execute in the context of subsequent user sessions. This is a classic stored XSS vulnerability where user-supplied input from the filter field is rendered without proper encoding or validation, enabling arbitrary JavaScript execution within the security context of the victim's browser session.
RemediationAI
The primary remediation is to upgrade to Juniper Networks Junos Space version 24.1R5 Patch V3 or later, which contains the fix for input sanitization in the list filter field. Organizations unable to immediately patch should implement compensating controls including: restricting network access to Junos Space management interfaces via firewall rules or VPN, implementing reverse proxy filtering to detect and block script injections in filter parameters, and enforcing strict Content-Security-Policy (CSP) headers if administratively feasible. Detailed patch availability and upgrade procedures are documented in Juniper Networks advisory JSA106003 (https://kb.juniper.net/JSA106003).
More in Junos Space
View allAn authentication bypass vulnerability in Juniper Networks Junos Space Network Management Platform may allow a remote un
Unspecified vulnerability in Oracle Java SE 5.0u61, SE 6u71, 7u51, and 8; JRockit R27.8.1 and R28.3.1; and Java SE Embed
Heap-based buffer overflow in the PCNET controller in QEMU allows remote attackers to execute arbitrary code by sending
Unspecified vulnerability in Oracle Java SE 5.0u61, 6u71, 7u51, and 8; JRockit R27.8.1 and R28.3.1; and Java SE Embedded
Unspecified vulnerability in Oracle Java SE 5.0u61, 6u71, 7u51, and 8; JavaFX 2.2.51; and Java SE Embedded 7u51 allows r
Unspecified vulnerability in Oracle Java SE 6u71, 7u51, and 8, and Java SE Embedded 7u51, allows remote attackers to aff
Unspecified vulnerability in Juniper Junos Space before 13.3R1.8, when the firewall in disabled, allows remote attackers
Insufficient authentication vulnerability in Junos Space before 15.2R2 allows remote network based users with access to
A remote unauthenticated network based attacker with access to Junos Space may execute arbitrary code on Junos Space or
Command injection vulnerability in Junos Space before 15.2R2 allows attackers to execute arbitrary code as a root user.
On Juniper Networks Junos Space versions prior to 16.1R1, due to an insufficient authorization check, readonly users on
On Juniper Networks Junos Space versions prior to 16.1R1, due to an insufficient authorization check, readonly users on
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-21077
GHSA-3cpj-89qh-f3x6