Cross-Site Scripting Vulnerability in Icinga Web Components
CVE-2026-42224

7.6HIGH

Key Information:

Vendor

Icinga

Status
Ipl-web
Vendor
CVE Published:
8 May 2026

What is CVE-2026-42224?

A vulnerability exists in the Icinga Web components prior to version 0.13.1, allowing attackers to inject malicious JavaScript into a victim's browser. This injection happens when the victim visits a specifically crafted website, where the malicious script is executed in the context of Icinga Web, potentially compromising user data and session security. This issue has been addressed in the 0.13.1 update, emphasizing the importance of keeping software up to date to mitigate such risks.

Affected Version(s)

ipl-web < 0.13.1

References

https://github.com/Icinga/ipl-web/security/advisories/GHS...
x_refsource_CONFIRM
https://github.com/Icinga/ipl-web/commit/f387e92504d7a03b...
x_refsource_MISC
https://github.com/Icinga/ipl-web/releases/tag/v0.13.1
x_refsource_MISC

CVSS V3.1

Score:
7.6
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
High
User Interaction:
Required
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.