Skip to main content

CFEngine Enterprise CVE-2026-33553

| EUVDEUVD-2026-34019 MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2026-06-02 mitre GHSA-g9rp-3m3m-wgj5
6.1
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
6.1 MEDIUM
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

3
Analysis Generated
Jun 03, 2026 - 18:26 vuln.today
CVSS changed
Jun 03, 2026 - 18:22 NVD
6.1 (MEDIUM)
CVE Published
Jun 02, 2026 - 00:00 nvd
UNKNOWN (no severity yet)

DescriptionCVE.org

Northern.tech CFEngine Enterprise 3.24.3 before 3.24.4 and 3.27.0 before 3.27.1 allows XSS.

AnalysisAI

Cross-site scripting in Northern.tech CFEngine Enterprise Mission Portal (the web-based management UI) affects versions 3.24.3 and 3.27.0, patched in 3.24.4 and 3.27.1 respectively. An unauthenticated remote attacker can craft a malicious URL or inject content that, when rendered in a victim's browser within the Mission Portal, executes arbitrary JavaScript in the context of the victim's session. No public exploit identified at time of analysis, and EPSS places this in the 5th percentile, indicating low observed exploitation interest.

Technical ContextAI

The vulnerability is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation - Cross-Site Scripting), meaning user-controlled input is reflected or stored in the Mission Portal's HTML output without adequate sanitization or encoding. CFEngine Enterprise is an infrastructure automation and compliance platform; Mission Portal is its browser-based management console used by administrators to manage infrastructure policy. The CVSS vector component S:C (Scope Changed) is particularly noteworthy: it indicates the injected script executes in a security scope beyond the vulnerable component itself - typically the victim's authenticated browser session - enabling actions or data access that span beyond the immediate input field. The CPE data provided (n/a:n/a) is uninformative; affected product identification is drawn from the CVE description and vendor blog reference.

RemediationAI

Upgrade CFEngine Enterprise to version 3.24.4 (if running the 3.24.x branch) or to version 3.27.1 (if running the 3.27.x branch). Patch details and guidance are available in the vendor blog post at https://cfengine.com/blog/2026/cve-2026-33553-xss-in-mission-portal/. If immediate patching is not feasible, restrict access to the Mission Portal to trusted internal networks or VPN-only endpoints to reduce attacker delivery surface - this mitigates the network-based delivery vector but does not eliminate the XSS flaw for insider or lateral-movement scenarios. Additionally, deploying a web application firewall with XSS filtering rules in front of Mission Portal can serve as a compensating control, though WAF bypass remains possible. Training Mission Portal users to avoid clicking unsolicited links referencing the portal URL is a minimal procedural control. No side effects of the recommended patch upgrade have been identified in available references.

Share

CVE-2026-33553 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy