Severity by source
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Lifecycle Timeline
4DescriptionCVE.org
Northern.tech CFEngine Enterprise before 3.21.8, 3.24.3, and 3.27.0 allows XSS.
AnalysisAI
Cross-site scripting (XSS) vulnerability in Northern.tech CFEngine Enterprise before versions 3.21.8, 3.24.3, and 3.27.0 allows remote attackers to inject malicious scripts into web application responses. User interaction is required to trigger the vulnerability, limiting real-time automation of attacks but enabling account compromise, session hijacking, or credential theft against CFEngine administrators and users. No public exploit code or active exploitation has been identified at the time of analysis.
Technical ContextAI
CFEngine Enterprise is a configuration management and infrastructure automation platform that includes web-based administrative interfaces. The vulnerability stems from improper input sanitization or output encoding in the web UI, classified as CWE-79 (Improper Neutralization of Input During Web Page Generation - 'Cross-site Scripting'). Affected versions prior to 3.21.8, 3.24.3, and 3.27.0 fail to adequately escape or filter user-supplied data before rendering it in HTML contexts, allowing attackers to embed arbitrary JavaScript code that executes in the victim's browser when they interact with the compromised interface.
RemediationAI
Upgrade CFEngine Enterprise immediately to version 3.21.8, 3.24.3, or 3.27.0 or later depending on your current release line. Northern.tech has released patched versions addressing this XSS vulnerability and two related flaws (CVE-2026-24711 and CVE-2026-24712 per the vendor blog). No workarounds are available for XSS vulnerabilities without patching. If immediate upgrade is not feasible, restrict administrative access to the CFEngine Enterprise web UI to trusted networks only using firewall or reverse-proxy authentication rules, implement Content Security Policy (CSP) headers to mitigate script injection, and disable browser script execution where feasible in administrative workstations - though these measures do not eliminate the vulnerability itself. Refer to https://cfengine.com/blog/2026/cve-2026-24710-and-cve-2026-24711-and-cve-2026-24712/ for detailed patching instructions and version-specific guidance.
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-30277
GHSA-hx33-3mv6-v6pf