Severity by source
AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Stored XSS requires authenticated workspace-owner access (PR:L), victim must actively view the page (UI:R), and impact crosses into victim session boundary (S:C).
Primary rating from Vendor (https://github.com/coder/coder).
CVSS VectorVendor: https://github.com/coder/coder
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Lifecycle Timeline
1DescriptionCVE.org
Summary
The AgentLogLine dashboard component instantiated ansi-to-html without escapeXML: true and inserted the result via dangerouslySetInnerHTML so HTML embedded in workspace agent log lines was rendered as live markup. Server-side sanitization did not neutralize HTML metacharacters.
> Note: Exploitation requires a victim to view attacker-controlled agent logs in the dashboard.
Impact
A user who could run a workspace could emit arbitrary HTML into agent logs; when another user, including an administrator, viewed the workspace page, it rendered in their session. Content Security Policy blocked inline scripts but an attacker could still inject a meta refresh redirect, style rules for UI redressing or CSS-based exfiltration or external img beacons. This required workspace-owner access and a victim viewing the page.
Patches
The fix enables escapeXML: true so HTML metacharacters are escaped before DOM insertion.
The fix was backported to all supported release lines:
Workarounds
None.
Resources
- Fix: #25808
Credits
Coder would like to thank Anthropic's Security Team (ANT-2026-22449) for independently disclosing this issue!
AnalysisAI
Stored cross-site scripting in Coder's AgentLogLine dashboard component allows any workspace owner to inject arbitrary HTML into agent log output, which renders as live markup in the browser session of any user - including administrators - who views the workspace page. The vulnerability stems from the ansi-to-html library being invoked without escapeXML: true, with output passed directly to React's dangerouslySetInnerHTML without server-side sanitization. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | The attacker must hold workspace-owner access on the target Coder instance, corresponding to CVSS PR:L - a standard authenticated role available to any user granted workspace creation rights. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The vendor-assigned CVSS 3.1 score of 5.4 (AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N) appropriately captures the key constraints: the attacker requires authenticated workspace-owner access (PR:L), and a victim must actively navigate to the workspace dashboard page (UI:R). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker with workspace-owner privileges on a shared Coder deployment configures their workspace agent to emit log lines containing injected HTML, such as an img tag pointing to an attacker-controlled server or a meta refresh redirect to a phishing page. When an administrator navigates to the workspace dashboard to inspect or assist with the workspace, the AgentLogLine component renders the injected markup in the admin's browser session, delivering a beacon with session context or redirecting the admin to a credential-harvesting site. … |
| Remediation | Upgrade to the patched version for your active release line: v2.34.2 (release line 2.34), v2.33.8 (release line 2.33), v2.32.7 (release line 2.32), or v2.29.17 (2.29 ESR). … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-42150
GHSA-7qw2-f75v-62f7