Severity by source
AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:L
Primary rating from NVD.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:L
Lifecycle Timeline
8DescriptionCVE.org
Stored XSS in log viewer in CoolerControl/coolercontrol-ui <4.0.0 allows unauthenticated attackers to take over the service via malicious JavaScript in poisoned log entries
AnalysisAI
Remote stored cross-site scripting in CoolerControl UI's log viewer (versions 2.0.0 through 3.x) enables complete service compromise when administrators view poisoned log entries. GitLab-reported vulnerability affects coolercontrol-ui versions before 4.0.0. Attack requires user interaction (administrator must view logs) but no authentication to inject payload. EPSS score of 0.02% (5th percentile) indicates very low observed exploitation probability. No public exploit identified at time of analysis, not listed in CISA KEV.
Technical ContextAI
CoolerControl is a Linux cooling device control application with a web-based UI component (coolercontrol-ui). The vulnerability is a classic stored XSS (CWE-79) in the AppInfoView.vue component's log viewer functionality. Code review of the vulnerable 2.0.0 and 3.1.1 releases shows the log display mechanism directly renders log entries without proper sanitization or output encoding. The affected component (AppInfoView.vue line 224 in v2.0.0, line 350 in v3.1.1) likely uses Vue.js's v-html directive or equivalent unsafe rendering method. An attacker can inject malicious JavaScript into application logs through various input vectors (network requests, hardware sensor data, configuration files), which then executes in the context of an administrator's browser session when viewing logs. The CPE string cpe:2.3:a:coolercontrol:coolercontrol-ui identifies the specific affected product as the UI component, distinct from the backend daemon.
RemediationAI
Upgrade to CoolerControl UI version 4.0.0 or later, released at https://gitlab.com/coolercontrol/coolercontrol/-/releases/4.0.0, which addresses this stored XSS vulnerability. The fix likely implements proper output encoding in the log viewer component (AppInfoView.vue). For environments unable to immediately upgrade, implement compensating controls: restrict access to the UI's log viewer to trusted network segments only via firewall rules or reverse proxy authentication (reduces attack surface but does not eliminate risk if attacker can poison logs from allowed networks); sanitize or filter log entries at ingestion points if feasible (may break legitimate logging of special characters); monitor for suspicious JavaScript patterns in log files as detection mechanism (labor-intensive and bypassed by obfuscation). Note that restricting UI access does not prevent payload injection (PR:N) but does prevent execution by blocking administrator log viewing. Compensating controls are significantly less effective than patching for XSS vulnerabilities.
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allVendor StatusVendor
SUSE
Severity: HighShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-20459
GHSA-6vr8-827j-mg8v