Skip to main content

Coder EUVDEUVD-2026-42150

| CVE-2026-55437 MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2026-07-06 https://github.com/coder/coder GHSA-7qw2-f75v-62f7
5.4
CVSS 3.1 · Vendor: https://github.com/coder/coder
Share

Severity by source

Vendor (https://github.com/coder/coder) PRIMARY
5.4 MEDIUM
AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
vuln.today AI
5.4 MEDIUM

Stored XSS requires authenticated workspace-owner access (PR:L), victim must actively view the page (UI:R), and impact crosses into victim session boundary (S:C).

3.1 AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
4.0 AV:N/AC:L/AT:N/PR:L/UI:A/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N

Primary rating from Vendor (https://github.com/coder/coder).

CVSS VectorVendor: https://github.com/coder/coder

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

1
Analysis Generated
Jul 06, 2026 - 22:40 vuln.today

DescriptionCVE.org

Summary

The AgentLogLine dashboard component instantiated ansi-to-html without escapeXML: true and inserted the result via dangerouslySetInnerHTML so HTML embedded in workspace agent log lines was rendered as live markup. Server-side sanitization did not neutralize HTML metacharacters.

> Note: Exploitation requires a victim to view attacker-controlled agent logs in the dashboard.

Impact

A user who could run a workspace could emit arbitrary HTML into agent logs; when another user, including an administrator, viewed the workspace page, it rendered in their session. Content Security Policy blocked inline scripts but an attacker could still inject a meta refresh redirect, style rules for UI redressing or CSS-based exfiltration or external img beacons. This required workspace-owner access and a victim viewing the page.

Patches

The fix enables escapeXML: true so HTML metacharacters are escaped before DOM insertion.

The fix was backported to all supported release lines:

Release linePatched version
2.34v2.34.2
2.33v2.33.8
2.32v2.32.7
2.29 (ESR)v2.29.17

Workarounds

None.

Resources

  • Fix: #25808

Credits

Coder would like to thank Anthropic's Security Team (ANT-2026-22449) for independently disclosing this issue!

AnalysisAI

Stored cross-site scripting in Coder's AgentLogLine dashboard component allows any workspace owner to inject arbitrary HTML into agent log output, which renders as live markup in the browser session of any user - including administrators - who views the workspace page. The vulnerability stems from the ansi-to-html library being invoked without escapeXML: true, with output passed directly to React's dangerouslySetInnerHTML without server-side sanitization. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Authenticate as workspace owner
Delivery
Configure agent to emit HTML-injected log lines
Exploit
Wait for privileged user (e.g., admin) to view workspace dashboard
Execution
ansi-to-html renders raw HTML into DOM via dangerouslySetInnerHTML
Persist
Injected HTML executes in victim browser session
Impact
Exfiltrate tokens via img beacon or redirect victim via meta refresh

Vulnerability AssessmentAI

Exploitation The attacker must hold workspace-owner access on the target Coder instance, corresponding to CVSS PR:L - a standard authenticated role available to any user granted workspace creation rights. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The vendor-assigned CVSS 3.1 score of 5.4 (AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N) appropriately captures the key constraints: the attacker requires authenticated workspace-owner access (PR:L), and a victim must actively navigate to the workspace dashboard page (UI:R). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker with workspace-owner privileges on a shared Coder deployment configures their workspace agent to emit log lines containing injected HTML, such as an img tag pointing to an attacker-controlled server or a meta refresh redirect to a phishing page. When an administrator navigates to the workspace dashboard to inspect or assist with the workspace, the AgentLogLine component renders the injected markup in the admin's browser session, delivering a beacon with session context or redirecting the admin to a credential-harvesting site. …
Remediation Upgrade to the patched version for your active release line: v2.34.2 (release line 2.34), v2.33.8 (release line 2.33), v2.32.7 (release line 2.32), or v2.29.17 (2.29 ESR). … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-42150 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy