Icinga Web ipl-web CVE-2026-42224
HIGHSeverity by source
AV:N/AC:H/PR:H/UI:R/S:C/C:H/I:H/A:H
Primary rating from GitHub Advisory.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:H/I:H/A:H
Lifecycle Timeline
7DescriptionGitHub Advisory
Impact
The vulnerability allows an attacker to inject malicious Javascript into a victim's browser to run it in the context of Icinga Web. The victim needs to visit a specifically prepared website and may have no immediate chance to notice any wrongdoing.
Patches
Version 0.13.1 includes a fix for this. It will be published as part of icinga-php-library version 0.19.2.
Workarounds
Enable the Content-Security-Policy (CSP) in the general configuration of Icinga Web available since version 2.12.0.
References
None
AnalysisAI
Reflected cross-site scripting (XSS) in Icinga Web's ipl-web library (composer package ipl/web) allows remote attackers to execute arbitrary JavaScript in victim browsers via malformed search requests. Affects all versions ≤0.13.0. Fixed in ipl/web 0.13.1 (bundled in icinga-php-library 0.19.2). Requires high-privilege authenticated attacker and victim user interaction via social engineering. No active exploitation confirmed by CISA KEV. CVSS 7.7 reflects scope change (cross-user impact) despite complex attack prerequisites.
Technical ContextAI
The vulnerability resides in ipl-web, a PHP component library used by Icinga Web 2 monitoring interface. Classified as CWE-79 (Improper Neutralization of Input During Web Page Generation), this reflected XSS flaw stems from inadequate sanitization of user-supplied search parameters in the CompatController component. The GitHub commit diff reveals the fix adds 'Content-Type: application/vnd.icinga+multipart' header enforcement to prevent browsers from interpreting malicious multipart responses as HTML. The composer package identifier is ipl/web, distributed as part of the larger icinga-php-library. Attack requires crafting a malicious URL exploiting search functionality that reflects unsanitized input into the HTTP response, which the victim's browser then executes as JavaScript when visiting the attacker-controlled link.
RemediationAI
Upgrade ipl-web to version 0.13.1 or later (released as part of icinga-php-library 0.19.2) per vendor advisory at https://github.com/Icinga/ipl-web/security/advisories/GHSA-55wf-5m3q-6jjf. The fix is implemented in commit f387e92504d7a03bb857d1aee9b7410e06dd065d, which enforces 'Content-Type: application/vnd.icinga+multipart' headers to prevent browser misinterpretation of responses. For organizations unable to immediately upgrade, enable Content-Security-Policy (CSP) in Icinga Web general configuration (feature available since Icinga Web 2.12.0) as an effective compensating control. CSP implementation blocks inline JavaScript execution, neutralizing reflected XSS attacks, though this may require testing to ensure compatibility with legitimate Icinga Web functionality. Additionally, restrict Icinga Web access to trusted networks via firewall rules and enforce multi-factor authentication for high-privilege accounts to raise the bar for the PR:H prerequisite. Monitor web application logs for anomalous search parameters containing JavaScript syntax as potential exploitation attempts.
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allVendor StatusVendor
SUSE
Severity: High| Product | Status |
|---|---|
| openSUSE Tumbleweed | Fixed |
Share
External POC / Exploit Code
Leaving vuln.today
GHSA-55wf-5m3q-6jjf