Skip to main content

Valhalla

1 CVEs product

Monthly

CVE-2026-49294 MEDIUM This Month

Reflected XSS in Valhalla's JSONP endpoint allows unauthenticated remote attackers to inject and execute arbitrary JavaScript in a victim's browser by crafting a malicious URL containing payload in the callback parameter. All versions through 3.6.3 are affected, and the CVSS scope change (S:C) reflects that execution occurs in the serving origin's context rather than a sandboxed one, enabling session theft and unauthorized actions on authenticated victims. No patch was available at time of publication, and no public exploit code has been identified at time of analysis.

XSS Valhalla
NVD GitHub
CVSS 3.1
6.1
EPSS
0.1%
EPSS 0% CVSS 6.1
MEDIUM This Month

Reflected XSS in Valhalla's JSONP endpoint allows unauthenticated remote attackers to inject and execute arbitrary JavaScript in a victim's browser by crafting a malicious URL containing payload in the callback parameter. All versions through 3.6.3 are affected, and the CVSS scope change (S:C) reflects that execution occurs in the serving origin's context rather than a sandboxed one, enabling session theft and unauthorized actions on authenticated victims. No patch was available at time of publication, and no public exploit code has been identified at time of analysis.

XSS Valhalla
NVD GitHub

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy