{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-33061", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-17T19:27:06.342Z", "datePublished": "2026-03-20T07:34:14.077Z", "dateUpdated": "2026-03-30T12:39:35.052Z"}, "containers": {"cna": {"title": "Jexactyl has Stored DOM Cross-Site Scripting (XSS) via unescaped JSON in Blade template", "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "lang": "en", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 5.8, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/Jexactyl/Jexactyl/security/advisories/GHSA-6xgw-mmmv-57h2", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/Jexactyl/Jexactyl/security/advisories/GHSA-6xgw-mmmv-57h2"}, {"name": "https://github.com/Jexactyl/Jexactyl/commit/e28edb204e80efab628d1241198ea4f079779cfd", "tags": ["x_refsource_MISC"], "url": "https://github.com/Jexactyl/Jexactyl/commit/e28edb204e80efab628d1241198ea4f079779cfd"}], "affected": [{"vendor": "Jexactyl", "product": "Jexactyl", "versions": [{"version": ">= 025e8dbb0daaa04054276bda814d922cf4af58da, < e28edb204e80efab628d1241198ea4f079779cfd", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-30T12:39:35.052Z"}, "descriptions": [{"lang": "en", "value": "Jexactyl is a customisable game management panel and billing system. Commits after 025e8dbb0daaa04054276bda814d922cf4af58da and before e28edb204e80efab628d1241198ea4f079779cfd inject server-side objects into client-side JavaScript through resources/views/templates/wrapper.blade.php. Using unescaped {!! json_encode(...) !!} without safe encoding flags allows string values to break out of the JavaScript context and be interpreted as HTML/JS by the browser. If any serialized fields contain attacker-controlled content, such as a username, display name, or site config value, a malicious payload will execute arbitrary script for any user viewing the page (stored DOM XSS). This issue has been patched by commit e28edb204e80efab628d1241198ea4f079779cfd."}], "source": {"advisory": "GHSA-6xgw-mmmv-57h2", "discovery": "UNKNOWN"}}, "adp": [{"references": [{"url": "https://github.com/Jexactyl/Jexactyl/security/advisories/GHSA-6xgw-mmmv-57h2", "tags": ["exploit"]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-20T13:49:01.159315Z", "id": "CVE-2026-33061", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-20T13:49:26.452Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-33061", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-03-20T13:49:01.159315Z"}}}], "references": [{"url": "https://github.com/Jexactyl/Jexactyl/security/advisories/GHSA-6xgw-mmmv-57h2", "tags": ["exploit"]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-20T13:49:21.671Z"}}], "cna": {"title": "Jexactyl has Stored DOM Cross-Site Scripting (XSS) via unescaped JSON in Blade template", "source": {"advisory": "GHSA-6xgw-mmmv-57h2", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.8, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "HIGH", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "Jexactyl", "product": "Jexactyl", "versions": [{"status": "affected", "version": ">= 025e8dbb0daaa04054276bda814d922cf4af58da, < e28edb204e80efab628d1241198ea4f079779cfd"}]}], "references": [{"url": "https://github.com/Jexactyl/Jexactyl/security/advisories/GHSA-6xgw-mmmv-57h2", "name": "https://github.com/Jexactyl/Jexactyl/security/advisories/GHSA-6xgw-mmmv-57h2", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/Jexactyl/Jexactyl/commit/e28edb204e80efab628d1241198ea4f079779cfd", "name": "https://github.com/Jexactyl/Jexactyl/commit/e28edb204e80efab628d1241198ea4f079779cfd", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Jexactyl is a customisable game management panel and billing system. Commits after 025e8dbb0daaa04054276bda814d922cf4af58da and before e28edb204e80efab628d1241198ea4f079779cfd inject server-side objects into client-side JavaScript through resources/views/templates/wrapper.blade.php. Using unescaped {!! json_encode(...) !!} without safe encoding flags allows string values to break out of the JavaScript context and be interpreted as HTML/JS by the browser. If any serialized fields contain attacker-controlled content, such as a username, display name, or site config value, a malicious payload will execute arbitrary script for any user viewing the page (stored DOM XSS). This issue has been patched by commit e28edb204e80efab628d1241198ea4f079779cfd."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-30T12:39:35.052Z"}}}, "cveMetadata": {"cveId": "CVE-2026-33061", "state": "PUBLISHED", "dateUpdated": "2026-03-30T12:39:35.052Z", "dateReserved": "2026-03-17T19:27:06.342Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-20T07:34:14.077Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:jexactyl:jexactyl:*:*:*:*:*:*:*:*", "matchCriteriaId": "6C552E32-4BAD-440D-B29A-B2E02246AE20", "versionEndIncluding": "3.8.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:jexactyl:jexactyl:4.0.0:beta1:*:*:*:*:*:*", "matchCriteriaId": "08A85D83-EB57-4B0B-B35F-0CCAAA46E973", "vulnerable": true}, {"criteria": "cpe:2.3:a:jexactyl:jexactyl:4.0.0:beta2:*:*:*:*:*:*", "matchCriteriaId": "7916B5CF-2EB4-46CC-A1B9-A2923509D81D", "vulnerable": true}, {"criteria": "cpe:2.3:a:jexactyl:jexactyl:4.0.0:beta3:*:*:*:*:*:*", "matchCriteriaId": "3F082307-4A99-4365-9931-9D8948C998D2", "vulnerable": true}, {"criteria": "cpe:2.3:a:jexactyl:jexactyl:4.0.0:beta4:*:*:*:*:*:*", "matchCriteriaId": "7373C273-098A-41E1-A8A8-CAB1358B828A", "vulnerable": true}, {"criteria": "cpe:2.3:a:jexactyl:jexactyl:4.0.0:beta5:*:*:*:*:*:*", "matchCriteriaId": "3967F8B9-EFB8-4B74-AF96-DDE4D81D91BA", "vulnerable": true}, {"criteria": "cpe:2.3:a:jexactyl:jexactyl:4.0.0:beta6:*:*:*:*:*:*", "matchCriteriaId": "E1EFCCD5-7C2A-478D-A484-81007FE6FB19", "vulnerable": true}, {"criteria": "cpe:2.3:a:jexactyl:jexactyl:4.0.0:beta7:*:*:*:*:*:*", "matchCriteriaId": "887913CA-22D9-489C-8B13-3D52CA759405", "vulnerable": true}, {"criteria": "cpe:2.3:a:jexactyl:jexactyl:4.0.0:rc1:*:*:*:*:*:*", "matchCriteriaId": "E4878F19-2FBC-4230-A944-9F87B31B1C96", "vulnerable": true}, {"criteria": "cpe:2.3:a:jexactyl:jexactyl:4.0.0:rc2:*:*:*:*:*:*", "matchCriteriaId": "C3A132E3-C73F-4783-AA85-A1222BA437BF", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Jexactyl is a customisable game management panel and billing system. Commits after 025e8dbb0daaa04054276bda814d922cf4af58da and before e28edb204e80efab628d1241198ea4f079779cfd inject server-side objects into client-side JavaScript through resources/views/templates/wrapper.blade.php. Using unescaped {!! json_encode(...) !!} without safe encoding flags allows string values to break out of the JavaScript context and be interpreted as HTML/JS by the browser. If any serialized fields contain attacker-controlled content, such as a username, display name, or site config value, a malicious payload will execute arbitrary script for any user viewing the page (stored DOM XSS). This issue has been patched by commit e28edb204e80efab628d1241198ea4f079779cfd."}, {"lang": "es", "value": "exactyl es un panel de gesti\u00f3n de juegos y sistema de facturaci\u00f3n personalizable. Commits despu\u00e9s de 025e8dbb0daaa04054276bda814d922cf4af58da y antes de e28edb204e80efab628d1241198ea4f079779cfd inyectan objetos del lado del servidor en JavaScript del lado del cliente a trav\u00e9s de resources/views/templates/wrapper.blade.php. Usar {!! json_encode(...) !!} sin escapar y sin banderas de codificaci\u00f3n segura permite que los valores de cadena salgan del contexto de JavaScript y sean interpretados como HTML/JS por el navegador. Si alg\u00fan campo serializado contiene contenido controlado por el atacante, como un nombre de usuario, nombre de visualizaci\u00f3n o valor de configuraci\u00f3n del sitio, una carga \u00fatil maliciosa ejecutar\u00e1 un script arbitrario para cualquier usuario que vea la p\u00e1gina (XSS DOM almacenado). Este problema ha sido parcheado por el commit e28edb204e80efab628d1241198ea4f079779cfd."}], "id": "CVE-2026-33061", "lastModified": "2026-04-14T17:56:38.773", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 5.8, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 0.6, "impactScore": 5.2, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.3, "impactScore": 2.7, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-03-20T08:16:12.090", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/Jexactyl/Jexactyl/commit/e28edb204e80efab628d1241198ea4f079779cfd"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/Jexactyl/Jexactyl/security/advisories/GHSA-6xgw-mmmv-57h2"}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/Jexactyl/Jexactyl/security/advisories/GHSA-6xgw-mmmv-57h2"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security-advisories@github.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[025e8dbb0daaa04054276bda814d922cf4af58da,e28edb204e80efab628d1241198ea4f079779cfd)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "Jexactyl", "source": "cna", "vendor": "Jexactyl"}, "product": "jexactyl", "vendor": "jexactyl"}], "analysis": {"en": {"generated_at": "2026-04-14T21:10:59.240586+00:00", "value": {"mitigation_remediation": ["Apply the patch from commit e28edb204e80efab628d1241198ea4f079779cfd or upgrade to Jexactyl 4.0.0 rc2 or newer.", "If an immediate upgrade is not possible, modify the wrapper.blade.php template to safely encode JSON data, for example by using json_encode with appropriate escape flags or by rendering the JSON as a string literal.", "Verify that all user\u2011controlled values are no longer rendered raw in client\u2011side JavaScript and test the page to confirm the vulnerability is remediated."], "summary": {"action": "Immediate Patch", "impact": "Stored DOM XSS"}, "threat_synthesis": {"affected_systems": "Jexactyl installations, particularly versions 4.0.0.\n\nFor the 4.0.0 series, all beta releases (4.0.0 beta1 through beta7) and release candidates (4.0.0 rc1 and rc2) are affected. Any prior release of Jexactyl that includes the vulnerable template code prior to commit e28edb204e80efab628d1241198ea4f079779cfd is also impacted. The issue was fixed in the referenced commit and therefore any version newer than that commit is considered safe.", "description_and_impact": "The vulnerability in Jexactyl allows arbitrary script execution through a stored DOM cross\u2011site scripting flaw. Server\u2011side JSON objects are injected directly into a Blade template using an unescaped JSON helper, causing user\u2011controlled string values to break out of the JavaScript context. When a page containing the affected template is rendered, the embedded script runs in the victim\u2019s browser, providing an attacker with full control over that session and the ability to manipulate or exfiltrate data. This weakness is consistent with CWE\u201179, which covers cross\u2011site scripting flaws.", "risk_and_exploitability": "The CVSS score of 5.8 indicates moderate theoretical severity, while an EPSS score of less than 1% suggests a low current exploitation likelihood. The vulnerability is not listed in CISA\u2019s Known Exploited Vulnerabilities catalog, further supporting low public exploit activity. The attack vector, inferred from the description, is client\u2011side browser execution triggered by normal loading of a Jexactyl page. An attacker must first supply malicious content into a server\u2011side field that is later JSON\u2011encoded, such as a username, display name, or site configuration value. Once the vulnerable page is viewed by any authenticated or unauthenticated user, the malicious script will execute in that user\u2019s browser context."}}}}, "created": "2026-03-20T10:36:52.151835+00:00", "updated": "2026-04-15T16:45:09.821316+00:00", "vendors": ["jexactyl", "jexactyl$PRODUCT$jexactyl"]}