Cross-Site Scripting in Coder Remote Development Environments
CVE-2026-55437

5.4MEDIUM

Key Information:

Vendor

Coder

Status
Vendor
CVE Published:
8 July 2026

What is CVE-2026-55437?

The vulnerability in Coder allows remote development environments to be exploited through improper handling of HTML content in agent logs. The AgentLogLine component did not properly escape HTML metacharacters, leading to a potential cross-site scripting (XSS) attack when users viewed manipulated agent logs. This exposure enables attackers to inject malicious scripts. The issue has been resolved in versions 2.29.17, 2.32.7, 2.33.8, and 2.34.2 by enabling escapeXML: true, ensuring that dangerous HTML is neutralized before being inserted into the DOM.

Affected Version(s)

coder >= 2.34.0, < 2.34.2 < 2.34.0, 2.34.2

coder >= 2.33.0, < 2.33.8 < 2.33.0, 2.33.8

coder >= 2.30.0, < 2.32.7 < 2.30.0, 2.32.7

References

CVSS V3.1

Score:
5.4
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
Required
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.