Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
2DescriptionNVD
OpenXDMoD is an open framework for collecting and analyzing HPC metrics. Prior to version 11.0.3, an authenticated attacker can inject malicious JavaScript into their Open XDMoD user profile and abuse the password reset functionality to email a link to an HTML page, which when visited by the victim, reflects and executes the unsanitized payload in the victim's browser, potentially leading to credential capture and Open XDMoD account takeover. All deployments of Open XDMoD prior to 11.0.3 are impacted. This issue was reported privately on 2026-04-06, and at this time there is no evidence that this vulnerability has been exploited in the wild. The vulnerability was patched in Open XDMoD 11.0.3 on 2026-05-12. As a workaround, apply the patch manually.
AnalysisAI
Stored-to-reflected cross-site scripting in Open XDMoD prior to 11.0.3 allows an authenticated attacker to inject JavaScript into their own user profile and then abuse the built-in password reset workflow to deliver the payload to a victim, executing in the victim's browser and enabling credential theft or full account takeover. The flaw is patched in Open XDMoD 11.0.3 (released 2026-05-12) and there is no public exploit identified at time of analysis; the vendor states no evidence of in-the-wild exploitation.
Technical ContextAI
Open XDMoD (XD Metrics on Demand) is an open-source framework maintained by the University at Buffalo CCR (ubccr/xdmod on GitHub) used by HPC centers to collect, store, and visualize utilization, performance, and accounting metrics for high-performance computing resources. The root cause is CWE-79 (Improper Neutralization of Input During Web Page Generation), specifically improper output encoding of user-supplied profile fields that are subsequently rendered inside an HTML email template generated by the password reset feature. Because the malicious string survives the storage layer and is only reflected when the recipient opens the reset page, the bug functions as a stored-then-reflected XSS that crosses a trust boundary between the authenticated submitter and the victim user (often an administrator initiating or receiving the reset).
RemediationAI
Vendor-released patch: Open XDMoD 11.0.3, published 2026-05-12 - upgrade to this version or later as the primary fix, following the upgrade guidance referenced in GHSA-3pv7-qvc3-h527 (https://github.com/ubccr/xdmod/security/advisories/GHSA-3pv7-qvc3-h527). If an immediate upgrade is not feasible, the vendor's stated workaround is to apply the upstream patch manually against the running version; as additional compensating controls, restrict self-service account creation and tighten provisioning so only vetted users can populate profile fields (reduces the attacker pool but does not protect against insider abuse), and instruct administrators to avoid clicking password-reset links delivered to unexpected addresses while the patch is rolled out (reduces likelihood of victim interaction but is not a technical control). A strict Content-Security-Policy on the XDMoD web tier disallowing inline script execution would blunt payload execution at the cost of potentially breaking custom dashboards or plugins that rely on inline JS.
More in Open Xdmod
View allAn issue was discovered in Open XDMoD through 7.5.0. Rated critical severity (CVSS 9.8), this vulnerability is remotely
SQL injection in Open XDMoD versions prior to 10.0.3 allows remote unauthenticated attackers to execute arbitrary SQL st
Remote unauthenticated command injection in Open XDMoD versions 9.5.0 through 11.0.2 allows attackers to execute arbitra
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-34906