Skip to main content

Stig Manager

1 CVEs product

Monthly

CVE-2026-41200 HIGH PATCH This Week

Reflected Cross-Site Scripting in STIG Manager 1.5.10 through 1.6.7 enables arbitrary JavaScript execution during OIDC authentication error handling. Attackers crafting malicious redirect URLs can exploit unsanitized error parameters written directly to DOM via innerHTML. When victims with active sessions follow these links, injected code executes in application context with access to SharedWorker-managed authentication tokens, enabling authenticated API requests to read and modify STIG assessment collection data. CVSS 8.5 reflects high confidentiality and integrity impact despite requiring user interaction. No public exploit identified at time of analysis; vendor-released patch available in version 1.6.8.

XSS Stig Manager
NVD GitHub VulDB
CVSS 4.0
8.5
EPSS
0.1%
EPSS 0% CVSS 8.5
HIGH PATCH This Week

Reflected Cross-Site Scripting in STIG Manager 1.5.10 through 1.6.7 enables arbitrary JavaScript execution during OIDC authentication error handling. Attackers crafting malicious redirect URLs can exploit unsanitized error parameters written directly to DOM via innerHTML. When victims with active sessions follow these links, injected code executes in application context with access to SharedWorker-managed authentication tokens, enabling authenticated API requests to read and modify STIG assessment collection data. CVSS 8.5 reflects high confidentiality and integrity impact despite requiring user interaction. No public exploit identified at time of analysis; vendor-released patch available in version 1.6.8.

XSS Stig Manager
NVD GitHub VulDB

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy