Skip to main content

CFEngine Enterprise EUVDEUVD-2026-30277

| CVE-2026-24710 MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2026-05-14 mitre GHSA-hx33-3mv6-v6pf
6.1
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
6.1 MEDIUM
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

4
Analysis Generated
May 14, 2026 - 17:00 vuln.today
CVSS changed
May 14, 2026 - 16:22 NVD
6.1 (MEDIUM)
CVE Published
May 14, 2026 - 00:00 nvd
MEDIUM 6.1
CVE Published
May 14, 2026 - 00:00 nvd
UNKNOWN (no severity yet)

DescriptionCVE.org

Northern.tech CFEngine Enterprise before 3.21.8, 3.24.3, and 3.27.0 allows XSS.

AnalysisAI

Cross-site scripting (XSS) vulnerability in Northern.tech CFEngine Enterprise before versions 3.21.8, 3.24.3, and 3.27.0 allows remote attackers to inject malicious scripts into web application responses. User interaction is required to trigger the vulnerability, limiting real-time automation of attacks but enabling account compromise, session hijacking, or credential theft against CFEngine administrators and users. No public exploit code or active exploitation has been identified at the time of analysis.

Technical ContextAI

CFEngine Enterprise is a configuration management and infrastructure automation platform that includes web-based administrative interfaces. The vulnerability stems from improper input sanitization or output encoding in the web UI, classified as CWE-79 (Improper Neutralization of Input During Web Page Generation - 'Cross-site Scripting'). Affected versions prior to 3.21.8, 3.24.3, and 3.27.0 fail to adequately escape or filter user-supplied data before rendering it in HTML contexts, allowing attackers to embed arbitrary JavaScript code that executes in the victim's browser when they interact with the compromised interface.

RemediationAI

Upgrade CFEngine Enterprise immediately to version 3.21.8, 3.24.3, or 3.27.0 or later depending on your current release line. Northern.tech has released patched versions addressing this XSS vulnerability and two related flaws (CVE-2026-24711 and CVE-2026-24712 per the vendor blog). No workarounds are available for XSS vulnerabilities without patching. If immediate upgrade is not feasible, restrict administrative access to the CFEngine Enterprise web UI to trusted networks only using firewall or reverse-proxy authentication rules, implement Content Security Policy (CSP) headers to mitigate script injection, and disable browser script execution where feasible in administrative workstations - though these measures do not eliminate the vulnerability itself. Refer to https://cfengine.com/blog/2026/cve-2026-24710-and-cve-2026-24711-and-cve-2026-24712/ for detailed patching instructions and version-specific guidance.

Share

EUVD-2026-30277 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy