Skip to main content

Openstatus EUVDEUVD-2026-20785

| CVE-2026-5808 MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2026-04-08 VulDB GHSA-952x-346h-wrvr
5.3
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
5.3 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
P
Scope
X

Lifecycle Timeline

4
EUVD ID Assigned
Apr 08, 2026 - 22:01 euvd
EUVD-2026-20785
Analysis Generated
Apr 08, 2026 - 22:01 vuln.today
Patch released
Apr 08, 2026 - 22:01 nvd
Patch available
CVE Published
Apr 08, 2026 - 21:30 nvd
MEDIUM 5.3

DescriptionCVE.org

A vulnerability was detected in openstatusHQ openstatus up to 1b678e71a85961ae319cbb214a8eae634059330c. This impacts an unknown function of the file apps/dashboard/src/app/(dashboard)/onboarding/client.tsx of the component Onboarding Endpoint. The manipulation of the argument callbackURL results in cross site scripting. The attack may be launched remotely. This product operates on a rolling release basis, ensuring continuous delivery. Consequently, there are no version details for either affected or updated releases. The patch is identified as 43d9b2b9ef8ae1a98f9bdc8a9f86d6a3dfaa2dfb. It is advisable to implement a patch to correct this issue. The vendor was contacted early, responded in a very professional manner and quickly released a fixed version of the affected product.

AnalysisAI

Reflected cross-site scripting (XSS) in openstatusHQ openstatus allows unauthenticated remote attackers to inject malicious scripts via the callbackURL parameter in the Onboarding Endpoint component. The vulnerability affects the onboarding client functionality and requires user interaction to exploit. Vendor has released a patched version (commit 43d9b2b9ef8ae1a98f9bdc8a9f86d6a3dfaa2dfb), and no public exploit code is currently identified.

Technical ContextAI

The vulnerability exists in the Onboarding Endpoint functionality within apps/dashboard/src/app/(dashboard)/onboarding/client.tsx, where user-supplied input to the callbackURL parameter is not properly sanitized before being rendered in the web interface. This is a classic reflected XSS vulnerability (CWE-79: Improper Neutralization of Input During Web Page Generation) where an attacker can craft a malicious URL containing JavaScript code that executes in the context of a victim's browser when they click the link or are redirected. The openstatusHQ openstatus product operates on a rolling release basis without traditional version numbering, making it a continuous-delivery system where patches are applied directly to the codebase via commits rather than discrete releases.

RemediationAI

Vendor-released patch: commit 43d9b2b9ef8ae1a98f9bdc8a9f86d6a3dfaa2dfb (merged via pull request 1981). Users operating openstatus instances should immediately pull the latest version from the main branch of https://github.com/openstatusHQ/openstatus/ to obtain the patched code. Given the rolling release model, verify your deployment is running commits after 43d9b2b9ef8ae1a98f9bdc8a9f86d6a3dfaa2dfb by checking your git commit history. No workarounds are documented; patching is the primary remediation path. The vendor response was noted as professional and expedient, and the patch has been confirmed via the public patch reference at https://github.com/openstatusHQ/openstatus/commit/43d9b2b9ef8ae1a98f9bdc8a9f86d6a3dfaa2dfb.

Share

EUVD-2026-20785 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy