Skip to main content

Casdoor EUVDEUVD-2026-18655

| CVE-2026-5468 LOW
Cross-site Scripting (XSS) (CWE-79)
2026-04-03 VulDB
2.0
CVSS 4.0 · NVD

Severity by source

NVD PRIMARY
2.0 LOW
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
P
Scope
X

Lifecycle Timeline

5
Severity Changed
Apr 29, 2026 - 01:11 NVD
MEDIUM LOW
CVSS changed
Apr 29, 2026 - 01:11 NVD
5.1 (MEDIUM) 2.0 (LOW)
EUVD ID Assigned
Apr 03, 2026 - 13:45 euvd
EUVD-2026-18655
Analysis Generated
Apr 03, 2026 - 13:45 vuln.today
CVE Published
Apr 03, 2026 - 13:30 nvd
MEDIUM 5.1

DescriptionCVE.org

A security flaw has been discovered in Casdoor 2.356.0. This affects the function dangerouslySetInnerHTML. Performing a manipulation of the argument formCss/formCssMobile/formSideHtml results in cross site scripting. The attack can be initiated remotely. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.

AnalysisAI

Stored cross-site scripting (XSS) in Casdoor 2.356.0 via the dangerouslySetInnerHTML function allows authenticated remote attackers to inject malicious scripts through the formCss, formCssMobile, or formSideHtml parameters. An attacker with authenticated access can craft payloads that execute arbitrary JavaScript in the context of other users' browsers when they view affected forms. Publicly available exploit code exists for this vulnerability, and the vendor has not responded to early disclosure attempts, indicating no coordinated patch timeline.

Technical ContextAI

The vulnerability stems from unsafe use of the dangerouslySetInnerHTML React function without proper input sanitization on user-controlled CSS and HTML parameters. The CWE-79 classification confirms this is a cross-site scripting flaw where untrusted user input is rendered directly as HTML/CSS without encoding or validation. The affected parameters (formCss, formCssMobile, formSideHtml) are form configuration fields that accept styling or markup, but the application fails to sanitize these inputs before passing them to dangerouslySetInnerHTML, allowing style-based or script-based XSS payloads to execute. This is particularly dangerous in authentication/form contexts where user sessions may be hijacked or credentials stolen.

RemediationAI

No vendor-released patch identified at time of analysis. The vendor did not respond to early disclosure attempts. Users should immediately audit form configuration permissions and restrict access to formCss, formCssMobile, and formSideHtml parameters to trusted administrators only. As a temporary mitigation, implement Content Security Policy (CSP) headers to restrict inline script execution and disable script-src for user-controlled content. Input validation should be enforced server-side to reject or sanitize any CSS or HTML containing script tags, event handlers (onclick, onload, etc.), or suspicious Unicode/encoding patterns. Monitor Casdoor's GitHub repository and security advisories for any future patch releases. Consider migrating to alternative form builders if Casdoor does not address this vulnerability within your organization's acceptable timeframe.

CVE-2022-38638 CRITICAL POC
9.1 Sep 09

Casdoor v1.97.3 was discovered to contain an arbitrary file write vulnerability via the fullFilePath parameter at /api/u

CVE-2024-41657 HIGH POC
8.8 Aug 20

Casdoor is a UI-first Identity and Access Management (IAM) / Single-Sign-On (SSO) platform. Rated high severity (CVSS 8.

CVE-2022-44942 HIGH POC
8.1 Dec 07

Casdoor before v1.126.1 was discovered to contain an arbitrary file deletion vulnerability via the uploadFile function.

CVE-2023-34927 MEDIUM POC
6.5 Jun 22

Casdoor v1.331.0 and below was discovered to contain a Cross-Site Request Forgery (CSRF) in the endpoint /api/set-passwo

CVE-2024-41658 MEDIUM POC
6.1 Aug 20

Casdoor is a UI-first Identity and Access Management (IAM) / Single-Sign-On (SSO) platform. Rated medium severity (CVSS

CVE-2026-6815 MEDIUM POC
5.9 May 11

Path traversal in Casdoor's Local File System storage provider allows authenticated administrators to write arbitrary fi

CVE-2026-9097 CRITICAL
9.8 May 28

Token revocation bypass in Casdoor identity management platform (versions 2.362.0 and earlier) allows remote unauthentic

CVE-2026-9094 CRITICAL
9.8 May 28

Cross-organization token exchange in Casdoor versions 2.362.0 and earlier allows remote unauthenticated attackers to esc

CVE-2026-9093 CRITICAL
9.8 May 28

SAML authentication bypass in Casdoor 2.362.0 and earlier allows remote unauthenticated attackers to authenticate as arb

CVE-2026-9092 CRITICAL
9.1 May 28

Account takeover in Casdoor versions 2.362.0 and earlier allows remote unauthenticated attackers to hijack accounts by s

CVE-2026-9098 CRITICAL
9.1 May 28

Authentication bypass in Casdoor 2.362.0 and earlier permits remote attackers controlling a registered upstream Identity

CVE-2026-9090 CRITICAL
9.1 May 28

Authentication bypass in Casdoor identity and access management platform (versions ≤2.362.0) allows remote unauthenticat

Share

EUVD-2026-18655 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy