Severity by source
AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N
Network-reachable proxy endpoint, no auth needed (PR:N), one victim click (UI:R); JS executes in Remark42 origin so scope changes and confidentiality is high, with limited integrity and no availability impact.
Primary rating from Vendor (GitHub_M).
CVSS VectorVendor: GitHub_M
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N
Lifecycle Timeline
3DescriptionCVE.org
Remark42 is a self-hosted comment engine for blogs, articles, or any other place where readers can add comments. Versions 1.6.0 through 1.15.0 contain a Cross-Site Scripting (XSS) vulnerability exploitable through content-type spoofing. The Remark42 image proxy fetches an arbitrary remote URL and re-serves the response from Remark42's own origin. During the download phase, the proxy determines whether the resource is an image by inspecting only the Content-Type header advertised by the remote server, never examining the actual bytes; during the serving phase, it instead derives the response Content-Type by sniffing those bytes with http.DetectContentType. An attacker can exploit this inconsistency by hosting a URL that advertises Content-Type: image/png while returning an HTML/JavaScript body: the download check accepts it as an image, the serving path sniffs the body and emits Content-Type: text/html, and the browser renders the attacker-controlled HTML/JavaScript as a document within Remark42's origin. Exploitation requires no Remark42 account on the target instance; the attacker only needs to host the malicious upstream URL and deliver the proxy link to a victim by any means, such as email, direct message, or a link on another website. This issue has been fixed in version 1.16.0.
AnalysisAI
Stored/reflected XSS in Remark42 self-hosted comment engine versions 1.6.0 through 1.15.0 allows unauthenticated remote attackers to execute arbitrary JavaScript in the context of a Remark42 origin by abusing a Content-Type inconsistency in the image proxy. The proxy trusts the upstream Content-Type header during the download check but re-sniffs bytes when serving, letting an HTML/JS payload advertised as image/png be re-served as text/html from the victim instance's own origin. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Requires the target Remark42 instance to be running a vulnerable version (1.6.0-1.15.0) with the image proxy feature enabled - this is the specific feature whose Content-Type handling is inconsistent. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | CVSS 3.0 vector AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N scores 8.2 (High) and accurately reflects an internet-reachable, no-auth, scope-changing XSS that requires a single user click on a crafted proxy link. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker hosts attacker.example/payload.png on their own web server, configured to advertise Content-Type: image/png while actually returning an HTML body containing a JavaScript payload that exfiltrates the victim's Remark42 session cookie or posts comments on their behalf. The attacker then sends or embeds a link of the form https://victim-blog.example/api/v1/proxy?src=<encoded attacker URL> (delivered via email, DM, or a third-party site), and any logged-in Remark42 reader who clicks it executes the JavaScript inside the blog's Remark42 origin. … |
| Remediation | Vendor-released patch: upgrade to Remark42 v1.16.0 or later, which adds X-Content-Type-Options: nosniff and Referrer-Policy: strict-origin-when-cross-origin response headers via the securityHeadersMiddleware (commit 78d6de6bce1e961f023969da3ec8a00dd80c9ae8); see https://github.com/umputun/remark42/releases/tag/v1.16.0 and the advisory at https://github.com/umputun/remark42/security/advisories/GHSA-4c8j-mgm4-qqvp. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
24 hours: Inventory all Remark42 deployments and identify instances running versions 1.6.0-1.15.0; alert administrators. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
umputun remark42 version 1.12.1 and before has a Blind Server-Side Request Forgery (SSRF) vulnerability. Rated high seve
remark42 before 1.6.1 allows XSS, as demonstrated by "Locator: Locator{URL:" followed by an XSS payload. Rated medium se
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-37511
GHSA-4c8j-mgm4-qqvp