Skip to main content

Icinga Web ipl-web CVE-2026-42224

HIGH
Cross-site Scripting (XSS) (CWE-79)
2026-04-29 https://github.com/Icinga/ipl-web GHSA-55wf-5m3q-6jjf
7.6
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
7.6 HIGH
AV:N/AC:H/PR:H/UI:R/S:C/C:H/I:H/A:H
SUSE
HIGH
qualitative

Primary rating from GitHub Advisory.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
High
Privileges Required
High
User Interaction
Required
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

7
Re-analysis Queued
May 08, 2026 - 23:22 vuln.today
cvss_changed
CVSS changed
May 08, 2026 - 23:22 NVD
7.7 (HIGH) 7.6 (HIGH)
Source Code Evidence Fetched
Apr 29, 2026 - 22:00 vuln.today
Analysis Generated
Apr 29, 2026 - 22:00 vuln.today
Analysis Generated
Apr 29, 2026 - 21:30 vuln.today
Patch released
Apr 29, 2026 - 21:30 nvd
Patch available
CVE Published
Apr 29, 2026 - 21:01 nvd
HIGH 7.7

DescriptionGitHub Advisory

Impact

The vulnerability allows an attacker to inject malicious Javascript into a victim's browser to run it in the context of Icinga Web. The victim needs to visit a specifically prepared website and may have no immediate chance to notice any wrongdoing.

Patches

Version 0.13.1 includes a fix for this. It will be published as part of icinga-php-library version 0.19.2.

Workarounds

Enable the Content-Security-Policy (CSP) in the general configuration of Icinga Web available since version 2.12.0.

References

None

AnalysisAI

Reflected cross-site scripting (XSS) in Icinga Web's ipl-web library (composer package ipl/web) allows remote attackers to execute arbitrary JavaScript in victim browsers via malformed search requests. Affects all versions ≤0.13.0. Fixed in ipl/web 0.13.1 (bundled in icinga-php-library 0.19.2). Requires high-privilege authenticated attacker and victim user interaction via social engineering. No active exploitation confirmed by CISA KEV. CVSS 7.7 reflects scope change (cross-user impact) despite complex attack prerequisites.

Technical ContextAI

The vulnerability resides in ipl-web, a PHP component library used by Icinga Web 2 monitoring interface. Classified as CWE-79 (Improper Neutralization of Input During Web Page Generation), this reflected XSS flaw stems from inadequate sanitization of user-supplied search parameters in the CompatController component. The GitHub commit diff reveals the fix adds 'Content-Type: application/vnd.icinga+multipart' header enforcement to prevent browsers from interpreting malicious multipart responses as HTML. The composer package identifier is ipl/web, distributed as part of the larger icinga-php-library. Attack requires crafting a malicious URL exploiting search functionality that reflects unsanitized input into the HTTP response, which the victim's browser then executes as JavaScript when visiting the attacker-controlled link.

RemediationAI

Upgrade ipl-web to version 0.13.1 or later (released as part of icinga-php-library 0.19.2) per vendor advisory at https://github.com/Icinga/ipl-web/security/advisories/GHSA-55wf-5m3q-6jjf. The fix is implemented in commit f387e92504d7a03bb857d1aee9b7410e06dd065d, which enforces 'Content-Type: application/vnd.icinga+multipart' headers to prevent browser misinterpretation of responses. For organizations unable to immediately upgrade, enable Content-Security-Policy (CSP) in Icinga Web general configuration (feature available since Icinga Web 2.12.0) as an effective compensating control. CSP implementation blocks inline JavaScript execution, neutralizing reflected XSS attacks, though this may require testing to ensure compatibility with legitimate Icinga Web functionality. Additionally, restrict Icinga Web access to trusted networks via firewall rules and enforce multi-factor authentication for high-privilege accounts to raise the bar for the PR:H prerequisite. Monitor web application logs for anomalous search parameters containing JavaScript syntax as potential exploitation attempts.

Vendor StatusVendor

SUSE

Severity: High
Product Status
openSUSE Tumbleweed Fixed

Share

CVE-2026-42224 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy