Skip to main content

Open OnDemand EUVDEUVD-2026-30306

| CVE-2026-44371 MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2026-05-14 security-advisories@github.com
5.3
CVSS 4.0 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
5.3 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
P
Scope
X

Lifecycle Timeline

3
Patch available
May 14, 2026 - 16:01 EUVD
Analysis Generated
May 14, 2026 - 15:33 vuln.today
CVE Published
May 14, 2026 - 15:16 nvd
MEDIUM 5.3

DescriptionGitHub Advisory

Open OnDemand is an open-source high-performance computing portal. Prior to 4.0.11, 4.1.5, and 4.2.2, specially crafted filenames can execute javascript in the file browser This vulnerability is fixed in 4.0.11, 4.1.5, and 4.2.2.

AnalysisAI

Cross-site scripting (XSS) in Open OnDemand prior to versions 4.0.11, 4.1.5, and 4.2.2 allows unauthenticated remote attackers to execute arbitrary JavaScript in users' browsers via specially crafted filenames displayed in the file browser interface. The vulnerability requires user interaction (clicking or viewing the malicious filename) and results in limited scope impact affecting only the confidentiality and integrity of the user's session. No public exploit code has been identified at time of analysis.

Technical ContextAI

Open OnDemand is a web-based HPC portal that provides file browser functionality for users to navigate and manage files on HPC systems. The vulnerability stems from improper output encoding of filenames (CWE-79: Improper Neutralization of Input During Web Page Generation) when rendering file listings in the browser interface. When a filename containing JavaScript payloads is displayed without proper HTML entity encoding or Content Security Policy (CSP) protections, the browser interprets and executes the malicious script in the context of the user's session with the Open OnDemand application.

RemediationAI

Upgrade to Open OnDemand version 4.0.11, 4.1.5, or 4.2.2 or later, depending on which major version branch is in use. Each branch has received a patched release that neutralizes the XSS vulnerability through proper filename output encoding. Users unable to immediately patch should implement Content Security Policy (CSP) headers with strict-dynamic or nonce-based inline script restrictions to prevent inline JavaScript execution, though this may affect legitimate functionality and should be tested thoroughly in a staging environment before production deployment. Alternatively, restrict file browser access via network segmentation or authentication policies if the functionality is not critical for all user populations. For detailed patch availability and deployment guidance, refer to the GitHub Security Advisory at https://github.com/OSC/ondemand/security/advisories/GHSA-xcv4-m435-m33h.

Share

EUVD-2026-30306 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy