CVE-2026-40607
HIGHLifecycle Timeline
1DescriptionCVE.org
Incorrect escaping of a saved filter's owner allows an attacker to inject arbitrary HTML on systems where $g_show_user_realname = ON.
Impact
Cross-site scripting (XSS).
Note that By default, only users with *Manager* access level or above can save their filters publicly
Patches
- 44f490bcf20fd491c1b8f3fc9dd041d8c2a30010
Workarounds
- Prevent display of users' real name (set
$g_ show_user_realname = OFF;in configuration) - Restrict ability to store filters (set $
g_stored_query_create_threshold/ $g_stored_query_create_shared_thresholdtoNOBODY
Credits
Thanks to siunam (Tang Cheuk Hei) for discovering and responsibly reporting the issue.
Analysis
Incorrect escaping of a saved filter's owner allows an attacker to inject arbitrary HTML on systems where $g_show_user_realname = ON.
Impact
Cross-site scripting (XSS).
Note that By default, only users with *Manager* access level or above can save their filters publicly
Patches
- 44f490bcf20fd491c1b8f3fc9dd041d8c2a30010
Workarounds
- Prevent display of users' real name (set
$g_ show_user_realname = OFF;in configuration) - Restrict ability to store filters (set $
g_stored_query_create_threshold/ $g_stored_query_create_shared_thresholdtoNOBODY
Credits
Thanks to siunam (Tang Cheuk Hei) for discovering and responsibly reporting the issue.
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
GHSA-f633-865q-2mhh