Skip to main content

MultiJuicer EUVD-2026-36999

| CVE-2026-48518 MEDIUM
Cross-Site Request Forgery (CSRF) (CWE-352)
2026-06-15 GitHub_M
CSRF Kubernetes Information Disclosure Multi Juicer
4.3
CVSS 3.1 · Vendor: GitHub_M
Share

Severity by source

Vendor (GitHub_M) PRIMARY
4.3 MEDIUM
AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
vuln.today AI
5.4 MEDIUM

PR:N and UI:R confirmed by description; C:L added over vendor score because victim data entered post-hijack reaches attacker's instance.

3.1 AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N
4.0 AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (GitHub_M).

CVSS VectorVendor: GitHub_M

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
None

Lifecycle Timeline

3
Source Code Evidence Fetched
Jun 15, 2026 - 22:57 vuln.today
Analysis Generated
Jun 15, 2026 - 22:57 vuln.today
Patch available
Jun 15, 2026 - 22:32 EUVD

DescriptionCVE.org

MultiJuicer is used to run separate Juice Shop instances on a central kubernetes cluster without the need for local instances. In versions 8.0.0 through 10.0.0, the team join endpoint (POST /multi-juicer/api/teams/{team}/join) accepted requests with any Content-Type, including text/plain. Because that content type does not trigger a CORS preflight, an attacker could host a cross-site HTML form that auto-submits to the endpoint and forces a victim's browser to log in as the attacker's team. A successful, undetected attacker can cause victims to unwittingly solve Juice Shop challenges under the attacker's team identity. In a CTF context this lets the attacker inflate their team's score using other players' activity, and any sensitive data the victim enters into "their" Juice Shop ends up in the attacker's instance. The vulnerability is exploitable without any prior authentication; the victim only needs to visit a page the attacker controls while having network access to the MultiJuicer deployment. SameSite=Strict on the session cookie does not mitigate this, because the attack plants a new cookie rather than relying on an existing one. This issue was fixed in version 10.0.1.

AnalysisAI

{team}/join), exploiting the fact that text/plain Content-Type does not trigger a CORS preflight check. In CTF deployments this allows score inflation by forcing victims to solve Juice Shop challenges credited to the attacker's team; any sensitive data entered by the victim is also captured in the attacker's Juice Shop instance. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Attacker registers team on target MultiJuicer cluster
Delivery
Attacker hosts malicious page with auto-submitting HTML form
Exploit
Victim visits attacker page while browser can reach cluster
Execution
Browser POSTs to join endpoint with text/plain, no CORS preflight fired
Persist
Server accepts request and sets attacker-team cookie in victim browser
Impact
Victim unknowingly solves challenges credited to attacker's team
Sign in to reveal

Vulnerability AssessmentAI

Exploitation The victim must be a CTF participant with an active browser session and network access to the MultiJuicer deployment (versions 8.0.0-10.0.0). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 base score of 4.3 (AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N) reflects a medium-severity network-reachable CSRF with low attack complexity, no required privileges, mandatory victim interaction, and limited integrity impact. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker registers a team on the target MultiJuicer CTF deployment and then hosts a web page containing a hidden HTML form that auto-submits via JavaScript to POST /multi-juicer/api/teams/{attacker-team}/join with Content-Type: text/plain, triggering no CORS preflight. When a CTF participant visits the attacker's page while connected to the same MultiJuicer cluster, their browser silently joins the attacker's team, and all subsequent challenge solves and data inputs are attributed to and captured by the attacker.
Remediation Upgrade MultiJuicer to version 10.0.1 or later; this is the primary and recommended remediation. … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Threat intelligence, references, and detailed analysis are available after sign-in.

More from same product – last 7 days

CVE-2026-53999 HIGH
7.7 Jun 12

Cross-tenant container deletion in the Radius Kubernetes controller (versions <= v0.57.1) allows a tenant with Deploymen
CVE-2026-48782 MEDIUM
6.8 Jun 16

Server-Side Request Forgery in Pydantic AI (versions 1.56.0-1.101.0, 2.0.0b1, 2.0.0b2) allows unauthenticated network at
CVE-2026-11769 MEDIUM
6.4 Jun 13

Privilege escalation in Grafana Operator (all versions ≤ 5.23) allows any user with Kubernetes RBAC permissions to creat
CVE-2026-48491 HIGH
Jun 16

mTLS bypass in Traefik 3.7.0-3.7.1 lets unauthenticated remote clients reach backends protected by wildcard-router TLSOp

Share

EUVD-2026-36999 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy