Cross-Site Scripting in Coder Remote Development Environments
CVE-2026-55437
5.4MEDIUM
What is CVE-2026-55437?
The vulnerability in Coder allows remote development environments to be exploited through improper handling of HTML content in agent logs. The AgentLogLine component did not properly escape HTML metacharacters, leading to a potential cross-site scripting (XSS) attack when users viewed manipulated agent logs. This exposure enables attackers to inject malicious scripts. The issue has been resolved in versions 2.29.17, 2.32.7, 2.33.8, and 2.34.2 by enabling escapeXML: true, ensuring that dangerous HTML is neutralized before being inserted into the DOM.
Affected Version(s)
coder >= 2.34.0, < 2.34.2 < 2.34.0, 2.34.2
coder >= 2.33.0, < 2.33.8 < 2.33.0, 2.33.8
coder >= 2.30.0, < 2.32.7 < 2.30.0, 2.32.7
