Skip to main content

STIG Manager CVE-2026-41200

| EUVDEUVD-2026-25158 HIGH
Cross-site Scripting (XSS) (CWE-79)
2026-04-23 GitHub_M
8.5
CVSS 4.0 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
8.5 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
A
Scope
X

Lifecycle Timeline

8
Patch released
Apr 29, 2026 - 20:46 nvd
Patch available
Re-analysis Queued
Apr 24, 2026 - 14:52 vuln.today
cvss_changed
Analysis Generated
Apr 23, 2026 - 06:48 vuln.today
Patch available
Apr 23, 2026 - 06:16 EUVD
CVSS changed
Apr 23, 2026 - 02:35 NVD
8.5 (HIGH)
EUVD ID Assigned
Apr 23, 2026 - 01:15 euvd
EUVD-2026-25158
Analysis Generated
Apr 23, 2026 - 01:15 vuln.today
CVE Published
Apr 23, 2026 - 00:40 nvd
HIGH 8.5

DescriptionGitHub Advisory

STIG Manager is an API and web client for managing Security Technical Implementation Guides (STIG) assessments of Information Systems. Versions 1.5.10 through 1.6.7 have a reflected Cross-Site Scripting (XSS) vulnerability in the OIDC authentication error handling code in src/init.js and public/reauth.html. During the OIDC redirect flow, the error and error_description query parameters returned by the OIDC provider are written directly to the DOM via innerHTML without HTML escaping. An attacker who can craft a malicious redirect URL and convince a user to follow it can execute arbitrary JavaScript in the application's origin context. The vulnerability is most severe when the targeted user has an active STIG Manager session running in another browser tab - injected code executes in the same origin and can communicate with the SharedWorker managing the active access token, enabling authenticated API requests on behalf of the victim including reading and modifying collection data. The vulnerability is patched in version 1.6.8. There is no workaround short of upgrading. Deployments behind a web application firewall that filters reflected XSS payloads in query parameters may have partial mitigation, but this is not a substitute for patching.

AnalysisAI

Reflected Cross-Site Scripting in STIG Manager 1.5.10 through 1.6.7 enables arbitrary JavaScript execution during OIDC authentication error handling. Attackers crafting malicious redirect URLs can exploit unsanitized error parameters written directly to DOM via innerHTML. When victims with active sessions follow these links, injected code executes in application context with access to SharedWorker-managed authentication tokens, enabling authenticated API requests to read and modify STIG assessment collection data. CVSS 8.5 reflects high confidentiality and integrity impact despite requiring user interaction. No public exploit identified at time of analysis; vendor-released patch available in version 1.6.8.

Technical ContextAI

STIG Manager is a web application for managing Security Technical Implementation Guide (STIG) assessments of information systems, utilizing OpenID Connect (OIDC) for authentication. The vulnerability exists in the OIDC redirect flow implementation within src/init.js and public/reauth.html. During OAuth 2.0/OIDC authentication, authorization servers return error information via query parameters (error and error_description) when authentication fails. The affected code directly assigns these untrusted parameters to DOM elements using innerHTML without HTML entity encoding or sanitization. This CWE-79 (Improper Neutralization of Input During Web Page Generation) vulnerability allows injection of arbitrary HTML and JavaScript. The application architecture uses SharedWorkers for cross-tab session management, storing active access tokens accessible to any script executing in the application's origin. The affected CPE is cpe:2.3:a:nuwcdivnpt:stig-manager covering versions 1.5.10 through 1.6.7.

RemediationAI

Upgrade immediately to STIG Manager version 1.6.8 or later, which patches the XSS vulnerability through proper HTML sanitization of OIDC error parameters. Download the patched release from the official GitHub repository at https://github.com/NUWCDIVNPT/stig-manager per advisory GHSA-wg33-j3rv-jq72. For containerized deployments, update Docker images to version 1.6.8 tags. The vendor explicitly states no workaround exists short of upgrading, meaning temporary mitigations are unreliable. Organizations unable to upgrade immediately may deploy web application firewall (WAF) rules filtering XSS payloads in query parameters (specifically targeting error and error_description parameters in OIDC callback URLs), but this provides only partial protection against sophisticated encoding techniques and is NOT a substitute for patching. As a compensating control with significant operational impact, organizations could temporarily disable OIDC authentication and revert to alternative authentication methods if supported, though this disrupts user workflows. Review application logs for suspicious OIDC error callbacks containing script tags or JavaScript event handlers as potential exploitation indicators during the vulnerable period.

Share

CVE-2026-41200 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy