Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
3DescriptionGitHub Advisory
Open OnDemand is an open-source high-performance computing portal. Prior to 4.0.11, 4.1.5, and 4.2.2, specially crafted filenames can execute javascript in the file browser This vulnerability is fixed in 4.0.11, 4.1.5, and 4.2.2.
AnalysisAI
Cross-site scripting (XSS) in Open OnDemand prior to versions 4.0.11, 4.1.5, and 4.2.2 allows unauthenticated remote attackers to execute arbitrary JavaScript in users' browsers via specially crafted filenames displayed in the file browser interface. The vulnerability requires user interaction (clicking or viewing the malicious filename) and results in limited scope impact affecting only the confidentiality and integrity of the user's session. No public exploit code has been identified at time of analysis.
Technical ContextAI
Open OnDemand is a web-based HPC portal that provides file browser functionality for users to navigate and manage files on HPC systems. The vulnerability stems from improper output encoding of filenames (CWE-79: Improper Neutralization of Input During Web Page Generation) when rendering file listings in the browser interface. When a filename containing JavaScript payloads is displayed without proper HTML entity encoding or Content Security Policy (CSP) protections, the browser interprets and executes the malicious script in the context of the user's session with the Open OnDemand application.
RemediationAI
Upgrade to Open OnDemand version 4.0.11, 4.1.5, or 4.2.2 or later, depending on which major version branch is in use. Each branch has received a patched release that neutralizes the XSS vulnerability through proper filename output encoding. Users unable to immediately patch should implement Content Security Policy (CSP) headers with strict-dynamic or nonce-based inline script restrictions to prevent inline JavaScript execution, though this may affect legitimate functionality and should be tested thoroughly in a staging environment before production deployment. Alternatively, restrict file browser access via network segmentation or authentication policies if the functionality is not critical for all user populations. For detailed patch availability and deployment guidance, refer to the GitHub Security Advisory at https://github.com/OSC/ondemand/security/advisories/GHSA-xcv4-m435-m33h.
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-30306