Severity by source
AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:L
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:L
Lifecycle Timeline
3DescriptionCVE.org
The error_description parameter is vulnerable to Reflected XSS. An attacker can bypass the domain's WAF using a Safari-specific onpagereveal payload.
AnalysisAI
A Reflected Cross-Site Scripting (XSS) vulnerability exists in the error_description parameter of Gainsight Assist, allowing unauthenticated attackers to inject malicious JavaScript payloads that execute in victims' browsers. The vulnerability is particularly dangerous because attackers can bypass the application's Web Application Firewall (WAF) using Safari-specific event handlers such as onpagereveal, which are not typically filtered by standard XSS protections. While the CVSS score of 6.1 indicates moderate severity with limited direct impact (integrity and availability degradation rather than confidentiality breach), the attack requires minimal technical complexity and no special privileges, making it exploitable by any attacker who can craft a malicious URL and socially engineer a victim into clicking it.
Technical ContextAI
This vulnerability is rooted in CWE-79 (Improper Neutralization of Input During Web Page Generation, also known as Cross-site Scripting), a classic injection flaw where user-supplied input in the error_description parameter is reflected back to the user's browser without proper sanitization or encoding. The attack surface is broadened by browser-specific event handler implementations; Safari interprets onpagereveal as a valid event attribute, whereas other browsers may ignore it or handle it differently. This differential behavior is a form of inconsistent security validation across rendering engines. Gainsight Assist (affected versions per CPE cpe:2.3:a:gainsight:gainsight_assist:*:*:*:*:*:*:*:*) does not adequately filter or HTML-encode special characters and event handler names in error messages, allowing JavaScript code to be injected via parameters that are then rendered in HTTP responses without Content Security Policy (CSP) or output encoding protections.
RemediationAI
Apply the security patch released by Gainsight Assist as described in the Rapid7 advisory (https://www.rapid7.com/blog/post/ve-cve-2026-31381-cve-2026-31382-gainsight-assist-information-disclosure-xss-fixed/); the advisory indicates a fix is available and should be deployed to all affected instances. As interim or complementary controls pending patch deployment, implement a Web Application Firewall (WAF) rule that blocks requests containing event handler keywords (including Safari-specific handlers such as onpagereveal, onload, onerror) in the error_description parameter, enforce a strict Content Security Policy (CSP) header that disallows inline script execution, and ensure all user-supplied error messages are HTML-encoded before rendering. Additionally, educate users not to click on suspicious links sent via email or messaging, and monitor for indicators of XSS exploitation such as unusual session activity or unauthorized data access from users' accounts.
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-13686