Skip to main content

th30d4y IP CVE-2026-41575

| EUVDEUVD-2026-28651 MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2026-05-08 security-advisories@github.com
6.1
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
6.1 MEDIUM
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

3
Patch available
May 08, 2026 - 16:18 EUVD
Analysis Generated
May 08, 2026 - 16:17 vuln.today
CVE Published
May 08, 2026 - 15:16 nvd
MEDIUM 6.1

DescriptionGitHub Advisory

In th30d4y/IP from version 1.0.1 to before version 2.0.1, a DOM-Based Cross-Site Scripting (XSS) vulnerability was identified in an IP Reputation Checker application. Unsanitized user input was directly rendered in the browser, allowing attackers to execute arbitrary JavaScript. This issue has been patched in version 2.0.1.

AnalysisAI

DOM-based cross-site scripting (XSS) in th30d4y/IP versions 1.0.1 through 2.0.0 allows remote attackers to execute arbitrary JavaScript in a victim's browser by crafting malicious input to the IP Reputation Checker application. The vulnerability requires user interaction (clicking a malicious link) but affects all users of vulnerable versions. Vendor-released patch: version 2.0.1.

Technical ContextAI

The IP Reputation Checker application fails to sanitize user input before rendering it in the browser's DOM (Document Object Model), creating a DOM-based XSS vulnerability classified under CWE-79 (Improper Neutralization of Input During Web Page Generation). Unlike reflected or stored XSS, DOM-based XSS occurs entirely on the client side when JavaScript code directly manipulates the DOM without proper encoding of untrusted data. The vulnerability is introduced when user-supplied values (likely IP addresses or query parameters) are dynamically inserted into HTML or JavaScript contexts without proper escaping or HTML encoding.

RemediationAI

Upgrade th30d4y/IP to version 2.0.1 or later immediately. This patched version includes input sanitization to prevent DOM-based XSS. Users unable to upgrade immediately should implement Content Security Policy (CSP) headers restricting script execution to trusted sources only, and configure X-XSS-Protection headers as a secondary control (noting that CSP is the modern standard). Additionally, restrict access to the application to authenticated users and trusted networks if operationally feasible, though this does not eliminate the vulnerability for legitimate users who click malicious links. Review application logs for evidence of XSS payloads in query parameters or form submissions and revoke any user sessions that may have been compromised. The advisory is available at https://github.com/th30d4y/IP/security/advisories/GHSA-j7wv-7j97-9qh9.

Share

CVE-2026-41575 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy