Skip to main content

Suse CVE-2026-5301

| EUVDEUVD-2026-20459 HIGH
Cross-site Scripting (XSS) (CWE-79)
2026-04-08 GitLab GHSA-6vr8-827j-mg8v
7.6
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.6 HIGH
AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:L
SUSE
HIGH
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
Low
Integrity
High
Availability
Low

Lifecycle Timeline

8
Analysis Updated
Apr 16, 2026 - 06:02 EUVD-patch-fix
executive_summary
Re-analysis Queued
Apr 16, 2026 - 05:29 backfill_euvd_patch
patch_released
Patch available
Apr 16, 2026 - 05:29 EUVD
4.0.0
Analysis Updated
Apr 16, 2026 - 01:12 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Apr 16, 2026 - 01:06 vuln.today
cvss_changed
EUVD ID Assigned
Apr 08, 2026 - 13:16 euvd
EUVD-2026-20459
Analysis Generated
Apr 08, 2026 - 13:16 vuln.today
CVE Published
Apr 08, 2026 - 12:04 nvd
HIGH 7.6

DescriptionCVE.org

Stored XSS in log viewer in CoolerControl/coolercontrol-ui <4.0.0 allows unauthenticated attackers to take over the service via malicious JavaScript in poisoned log entries

AnalysisAI

Remote stored cross-site scripting in CoolerControl UI's log viewer (versions 2.0.0 through 3.x) enables complete service compromise when administrators view poisoned log entries. GitLab-reported vulnerability affects coolercontrol-ui versions before 4.0.0. Attack requires user interaction (administrator must view logs) but no authentication to inject payload. EPSS score of 0.02% (5th percentile) indicates very low observed exploitation probability. No public exploit identified at time of analysis, not listed in CISA KEV.

Technical ContextAI

CoolerControl is a Linux cooling device control application with a web-based UI component (coolercontrol-ui). The vulnerability is a classic stored XSS (CWE-79) in the AppInfoView.vue component's log viewer functionality. Code review of the vulnerable 2.0.0 and 3.1.1 releases shows the log display mechanism directly renders log entries without proper sanitization or output encoding. The affected component (AppInfoView.vue line 224 in v2.0.0, line 350 in v3.1.1) likely uses Vue.js's v-html directive or equivalent unsafe rendering method. An attacker can inject malicious JavaScript into application logs through various input vectors (network requests, hardware sensor data, configuration files), which then executes in the context of an administrator's browser session when viewing logs. The CPE string cpe:2.3:a:coolercontrol:coolercontrol-ui identifies the specific affected product as the UI component, distinct from the backend daemon.

RemediationAI

Upgrade to CoolerControl UI version 4.0.0 or later, released at https://gitlab.com/coolercontrol/coolercontrol/-/releases/4.0.0, which addresses this stored XSS vulnerability. The fix likely implements proper output encoding in the log viewer component (AppInfoView.vue). For environments unable to immediately upgrade, implement compensating controls: restrict access to the UI's log viewer to trusted network segments only via firewall rules or reverse proxy authentication (reduces attack surface but does not eliminate risk if attacker can poison logs from allowed networks); sanitize or filter log entries at ingestion points if feasible (may break legitimate logging of special characters); monitor for suspicious JavaScript patterns in log files as detection mechanism (labor-intensive and bypassed by obfuscation). Note that restricting UI access does not prevent payload injection (PR:N) but does prevent execution by blocking administrator log viewing. Compensating controls are significantly less effective than patching for XSS vulnerabilities.

Vendor StatusVendor

SUSE

Severity: High

Share

CVE-2026-5301 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy