Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
3DescriptionCVE.org
Hayabusa versions prior to 3.8.0 contain a cross-site scripting (XSS) vulnerability in its HTML report output that allows an attacker to execute arbitrary JavaScript when a user scans JSON-exported logs containing malicious content in the Computer field. An attacker can inject JavaScript into the Computer field of JSON logs that executes in the forensic examiner's browser session when viewing the generated HTML report, leading to information disclosure or code execution.
AnalysisAI
Hayabusa versions before 3.8.0 contain a stored cross-site scripting (XSS) vulnerability in HTML report generation that allows authenticated attackers to inject arbitrary JavaScript into the Computer field of JSON-exported logs, which executes in a forensic examiner's browser when viewing the generated HTML report. The vulnerability requires user interaction (report viewing) and results in information disclosure or session compromise, affecting forensic analysis workflows that process untrusted or adversary-controlled log data.
Technical ContextAI
Hayabusa is a Windows event log forensic analysis tool that ingests JSON-exported logs and generates HTML reports for investigation. The vulnerability exists in the HTML report template generation code (CWE-79: Improper Neutralization of Input During Web Page Generation), where user-controllable input from the Computer field in JSON logs is not properly sanitized or encoded before being inserted into the HTML output. An attacker who can influence the JSON log data (e.g., via log injection, lateral movement in a Windows environment, or supply of malicious forensic samples) can embed JavaScript payloads that persist in the generated HTML artifact. When a forensic examiner opens the report in a browser, the unescaped JavaScript executes in their security context, potentially accessing session tokens, exfiltrating analysis data, or pivoting to the examiner's workstation.
RemediationAI
Vendor-released patch: Hayabusa 3.8.0 or later. Users should immediately upgrade to version 3.8.0 or newer, which includes proper HTML entity encoding and sanitization of the Computer field and other user-controllable inputs in the HTML report template. For organizations unable to upgrade immediately, forensic teams should restrict the processing of JSON logs from untrusted sources, validate JSON log integrity before processing, and review generated HTML reports in a sandboxed browser environment or use server-side report generation without browser execution. The official advisory is available at https://mobasi.ai/sentinel and additional technical details are documented in the VulnCheck advisory (https://www.vulncheck.com/advisories/hayabusa-xss-via-json-log-import).
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-20767
GHSA-jpj3-m5q9-54rf