Skip to main content

Junos Space EUVDEUVD-2026-21077

| CVE-2026-21904 MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2026-04-09 juniper GHSA-3cpj-89qh-f3x6
5.1
CVSS 4.0 · Vendor: juniper
Share

Severity by source

Vendor (juniper) PRIMARY
5.1 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from Vendor (juniper) · only source for this CVE.

CVSS VectorVendor: juniper

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
A
Scope
X

Lifecycle Timeline

4
Patch available
Apr 16, 2026 - 05:29 EUVD
24.1R5
EUVD ID Assigned
Apr 09, 2026 - 21:45 euvd
EUVD-2026-21077
Analysis Generated
Apr 09, 2026 - 21:45 vuln.today
CVE Published
Apr 09, 2026 - 21:26 nvd
MEDIUM 5.1

DescriptionCVE.org

An Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Juniper Networks Junos Space allows an attacker to inject script tags in the

list filter field that, when visited by another user, enables the attacker to execute commands with the target's permissions, including an administrator.

This issue affects all versions of Junos Space before 24.1R5 Patch V3.

AnalysisAI

Stored cross-site scripting (XSS) in Juniper Networks Junos Space allows unauthenticated remote attackers to inject malicious script tags into the list filter field, which execute with the permissions of any user who views the affected page, including administrators. All versions before 24.1R5 Patch V3 are vulnerable. No public exploit code or active exploitation has been identified at time of analysis.

Technical ContextAI

Junos Space is a network management platform developed by Juniper Networks. The vulnerability exists in improper input sanitization (CWE-79: Improper Neutralization of Input During Web Page Generation) affecting the list filter field, a web interface component. The vulnerability allows attackers to inject unescaped HTML script tags that persist in the application and execute in the context of subsequent user sessions. This is a classic stored XSS vulnerability where user-supplied input from the filter field is rendered without proper encoding or validation, enabling arbitrary JavaScript execution within the security context of the victim's browser session.

RemediationAI

The primary remediation is to upgrade to Juniper Networks Junos Space version 24.1R5 Patch V3 or later, which contains the fix for input sanitization in the list filter field. Organizations unable to immediately patch should implement compensating controls including: restricting network access to Junos Space management interfaces via firewall rules or VPN, implementing reverse proxy filtering to detect and block script injections in filter parameters, and enforcing strict Content-Security-Policy (CSP) headers if administratively feasible. Detailed patch availability and upgrade procedures are documented in Juniper Networks advisory JSA106003 (https://kb.juniper.net/JSA106003).

CVE-2017-10622 CRITICAL
9.8 Oct 13

An authentication bypass vulnerability in Juniper Networks Junos Space Network Management Platform may allow a remote un

CVE-2014-0457 CRITICAL
10.0 Apr 16

Unspecified vulnerability in Oracle Java SE 5.0u61, SE 6u71, 7u51, and 8; JRockit R27.8.1 and R28.3.1; and Java SE Embed

CVE-2015-3209 HIGH
7.5 Jun 15

Heap-based buffer overflow in the PCNET controller in QEMU allows remote attackers to execute arbitrary code by sending

CVE-2014-0429 CRITICAL
10.0 Apr 16

Unspecified vulnerability in Oracle Java SE 5.0u61, 6u71, 7u51, and 8; JRockit R27.8.1 and R28.3.1; and Java SE Embedded

CVE-2014-2421 CRITICAL
10.0 Apr 16

Unspecified vulnerability in Oracle Java SE 5.0u61, 6u71, 7u51, and 8; JavaFX 2.2.51; and Java SE Embedded 7u51 allows r

CVE-2014-0456 CRITICAL
10.0 Apr 16

Unspecified vulnerability in Oracle Java SE 6u71, 7u51, and 8, and Java SE Embedded 7u51, allows remote attackers to aff

CVE-2014-3412 CRITICAL
10.0 May 20

Unspecified vulnerability in Juniper Junos Space before 13.3R1.8, when the firewall in disabled, allows remote attackers

CVE-2016-4926 CRITICAL
9.8 Mar 20

Insufficient authentication vulnerability in Junos Space before 15.2R2 allows remote network based users with access to

CVE-2016-1265 CRITICAL
9.8 Oct 13

A remote unauthenticated network based attacker with access to Junos Space may execute arbitrary code on Junos Space or

CVE-2016-4929 HIGH
8.8 Mar 20

Command injection vulnerability in Junos Space before 15.2R2 allows attackers to execute arbitrary code as a root user.

CVE-2017-2306 HIGH
8.8 May 30

On Juniper Networks Junos Space versions prior to 16.1R1, due to an insufficient authorization check, readonly users on

CVE-2017-2305 HIGH
8.8 May 30

On Juniper Networks Junos Space versions prior to 16.1R1, due to an insufficient authorization check, readonly users on

Share

EUVD-2026-21077 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy