Reflected XSS Vulnerability in STIG Manager by NUWCDIVNPT
CVE-2026-41200

8.5HIGH

Key Information:

Vendor: Nuwcdivnpt
Status: Stig-manager
Vendor: CVE Published:; 23 April 2026

What is CVE-2026-41200?

STIG Manager, an API and web client for managing Security Technical Implementation Guides, has a reflected Cross-Site Scripting (XSS) vulnerability. Found in versions 1.5.10 through 1.6.7, this flaw arises from the handling of error and error_description parameters during the OIDC redirect flow. These parameters are rendered directly to the DOM via innerHTML without proper HTML escaping. By crafting a malicious redirect URL, an attacker can execute arbitrary JavaScript code in the application's origin context. This is particularly dangerous if the victim has an active STIG Manager session in another tab, as the injected code can access shared resources, allowing unauthorized API calls to read or modify sensitive data. Users are strongly encouraged to upgrade to version 1.6.8, as there are no effective workarounds.

Affected Version(s)

stig-manager >= 1.5.10, < 1.6.8

References

https://github.com/NUWCDIVNPT/stig-manager/security/advis...

x_refsource_CONFIRM

CVSS V4

Score:

8.5

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

Unknown

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 23, 2026
Vulnerability Reserved
Apr 18, 2026

CVE-2026-41200 Data

JSON

Nuwcdivnpt

What is CVE-2026-41200?

Affected Version(s)

References

CVSS V4

Timeline