Cross-Site Scripting Vulnerability in Hayabusa by Yamato Security
CVE-2026-40028

5.1MEDIUM

Key Information:

Vendor

Yamato-security

Status
Hayabusa
Vendor
CVE Published:
8 April 2026

What is CVE-2026-40028?

A cross-site scripting vulnerability exists in Hayabusa versions before 3.8.0 that enables attackers to inject malicious JavaScript within the HTML report output. This occurs when a user scans JSON-exported logs where the 'Computer' field contains harmful content. If a forensic examiner views the generated HTML report, the injected JavaScript can execute in their browser session, potentially leading to sensitive information disclosure or unauthorized code execution.

Affected Version(s)

hayabusa 0 <= 3.7.0

hayabusa 3.8.0

References

https://github.com/Yamato-Security/hayabusa/releases/tag/...
product
https://mobasi.ai/sentinel
vendor-advisory
https://www.vulncheck.com/advisories/hayabusa-xss-via-jso...
third-party-advisory

CVSS V4

Score:
5.1
Severity:
MEDIUM
Confidentiality:
None
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
Unknown

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Mobasi Security Team
.