{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-5808", "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "state": "PUBLISHED", "assignerShortName": "VulDB", "dateReserved": "2026-04-08T14:56:12.185Z", "datePublished": "2026-04-08T21:30:16.897Z", "dateUpdated": "2026-04-09T14:55:24.274Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "shortName": "VulDB", "dateUpdated": "2026-04-08T21:30:16.897Z"}, "title": "openstatusHQ openstatus Onboarding Endpoint client.tsx cross site scripting", "problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-79", "lang": "en", "description": "Cross Site Scripting"}]}, {"descriptions": [{"type": "CWE", "cweId": "CWE-94", "lang": "en", "description": "Code Injection"}]}], "affected": [{"vendor": "openstatusHQ", "product": "openstatus", "versions": [{"version": "1b678e71a85961ae319cbb214a8eae634059330c", "status": "affected"}], "modules": ["Onboarding Endpoint"]}], "descriptions": [{"lang": "en", "value": "A vulnerability was detected in openstatusHQ openstatus up to 1b678e71a85961ae319cbb214a8eae634059330c. This impacts an unknown function of the file apps/dashboard/src/app/(dashboard)/onboarding/client.tsx of the component Onboarding Endpoint. The manipulation of the argument callbackURL results in cross site scripting. The attack may be launched remotely. This product operates on a rolling release basis, ensuring continuous delivery. Consequently, there are no version details for either affected or updated releases. The patch is identified as 43d9b2b9ef8ae1a98f9bdc8a9f86d6a3dfaa2dfb. It is advisable to implement a patch to correct this issue. The vendor was contacted early, responded in a very professional manner and quickly released a fixed version of the affected product."}], "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 5.3, "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X", "baseSeverity": "MEDIUM"}}, {"cvssV3_1": {"version": "3.1", "baseScore": 4.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N/E:X/RL:O/RC:C", "baseSeverity": "MEDIUM"}}, {"cvssV3_0": {"version": "3.0", "baseScore": 4.3, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N/E:X/RL:O/RC:C", "baseSeverity": "MEDIUM"}}, {"cvssV2_0": {"version": "2.0", "baseScore": 5, "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N/E:ND/RL:OF/RC:C"}}], "timeline": [{"time": "2026-04-08T00:00:00.000Z", "lang": "en", "value": "Advisory disclosed"}, {"time": "2026-04-08T02:00:00.000Z", "lang": "en", "value": "VulDB entry created"}, {"time": "2026-04-08T17:01:26.000Z", "lang": "en", "value": "VulDB entry last update"}], "credits": [{"lang": "en", "value": "trebledj (VulDB User)", "type": "reporter"}, {"lang": "en", "value": "VulDB CNA Team", "type": "coordinator"}], "references": [{"url": "https://vuldb.com/vuln/356245", "name": "VDB-356245 | openstatusHQ openstatus Onboarding Endpoint client.tsx cross site scripting", "tags": ["vdb-entry", "technical-description"]}, {"url": "https://vuldb.com/vuln/356245/cti", "name": "VDB-356245 | CTI Indicators (IOB, IOC, TTP, IOA)", "tags": ["signature", "permissions-required"]}, {"url": "https://vuldb.com/submit/787321", "name": "Submit #787321 | OpenStatus HQ OpenStatus 20260314 DOM-Based XSS, Open Redirect", "tags": ["third-party-advisory"]}, {"url": "https://gist.github.com/TrebledJ/ab83abb1ca7ff6c1f39e16a37020f323", "tags": ["related"]}, {"url": "https://github.com/openstatusHQ/openstatus/pull/1981", "tags": ["issue-tracking", "patch"]}, {"url": "https://github.com/openstatusHQ/openstatus/commit/43d9b2b9ef8ae1a98f9bdc8a9f86d6a3dfaa2dfb", "tags": ["patch"]}, {"url": "https://github.com/openstatusHQ/openstatus/", "tags": ["product"]}], "tags": ["x_open-source"]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-09T14:55:03.630800Z", "id": "CVE-2026-5808", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-09T14:55:24.274Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"cna": {"tags": ["x_open-source"], "title": "openstatusHQ openstatus Onboarding Endpoint client.tsx cross site scripting", "credits": [{"lang": "en", "type": "reporter", "value": "trebledj (VulDB User)"}, {"lang": "en", "type": "coordinator", "value": "VulDB CNA Team"}], "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 5.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X"}}, {"cvssV3_1": {"version": "3.1", "baseScore": 4.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N/E:X/RL:O/RC:C"}}, {"cvssV3_0": {"version": "3.0", "baseScore": 4.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N/E:X/RL:O/RC:C"}}, {"cvssV2_0": {"version": "2.0", "baseScore": 5, "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N/E:ND/RL:OF/RC:C"}}], "affected": [{"vendor": "openstatusHQ", "modules": ["Onboarding Endpoint"], "product": "openstatus", "versions": [{"status": "affected", "version": "1b678e71a85961ae319cbb214a8eae634059330c"}]}], "timeline": [{"lang": "en", "time": "2026-04-08T00:00:00.000Z", "value": "Advisory disclosed"}, {"lang": "en", "time": "2026-04-08T02:00:00.000Z", "value": "VulDB entry created"}, {"lang": "en", "time": "2026-04-08T17:01:26.000Z", "value": "VulDB entry last update"}], "references": [{"url": "https://vuldb.com/vuln/356245", "name": "VDB-356245 | openstatusHQ openstatus Onboarding Endpoint client.tsx cross site scripting", "tags": ["vdb-entry", "technical-description"]}, {"url": "https://vuldb.com/vuln/356245/cti", "name": "VDB-356245 | CTI Indicators (IOB, IOC, TTP, IOA)", "tags": ["signature", "permissions-required"]}, {"url": "https://vuldb.com/submit/787321", "name": "Submit #787321 | OpenStatus HQ OpenStatus 20260314 DOM-Based XSS, Open Redirect", "tags": ["third-party-advisory"]}, {"url": "https://gist.github.com/TrebledJ/ab83abb1ca7ff6c1f39e16a37020f323", "tags": ["related"]}, {"url": "https://github.com/openstatusHQ/openstatus/pull/1981", "tags": ["issue-tracking", "patch"]}, {"url": "https://github.com/openstatusHQ/openstatus/commit/43d9b2b9ef8ae1a98f9bdc8a9f86d6a3dfaa2dfb", "tags": ["patch"]}, {"url": "https://github.com/openstatusHQ/openstatus/", "tags": ["product"]}], "descriptions": [{"lang": "en", "value": "A vulnerability was detected in openstatusHQ openstatus up to 1b678e71a85961ae319cbb214a8eae634059330c. This impacts an unknown function of the file apps/dashboard/src/app/(dashboard)/onboarding/client.tsx of the component Onboarding Endpoint. The manipulation of the argument callbackURL results in cross site scripting. The attack may be launched remotely. This product operates on a rolling release basis, ensuring continuous delivery. Consequently, there are no version details for either affected or updated releases. The patch is identified as 43d9b2b9ef8ae1a98f9bdc8a9f86d6a3dfaa2dfb. It is advisable to implement a patch to correct this issue. The vendor was contacted early, responded in a very professional manner and quickly released a fixed version of the affected product."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "Cross Site Scripting"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-94", "description": "Code Injection"}]}], "providerMetadata": {"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "shortName": "VulDB", "dateUpdated": "2026-04-08T21:30:16.897Z"}}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-5808", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-09T14:55:03.630800Z"}}}], "providerMetadata": {"shortName": "CISA-ADP", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "dateUpdated": "2026-04-09T14:55:08.443Z"}}]}, "cveMetadata": {"cveId": "CVE-2026-5808", "state": "PUBLISHED", "dateUpdated": "2026-04-08T21:30:16.897Z", "dateReserved": "2026-04-08T14:56:12.185Z", "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "datePublished": "2026-04-08T21:30:16.897Z", "assignerShortName": "VulDB"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "A vulnerability was detected in openstatusHQ openstatus up to 1b678e71a85961ae319cbb214a8eae634059330c. This impacts an unknown function of the file apps/dashboard/src/app/(dashboard)/onboarding/client.tsx of the component Onboarding Endpoint. The manipulation of the argument callbackURL results in cross site scripting. The attack may be launched remotely. This product operates on a rolling release basis, ensuring continuous delivery. Consequently, there are no version details for either affected or updated releases. The patch is identified as 43d9b2b9ef8ae1a98f9bdc8a9f86d6a3dfaa2dfb. It is advisable to implement a patch to correct this issue. The vendor was contacted early, responded in a very professional manner and quickly released a fixed version of the affected product."}], "id": "CVE-2026-5808", "lastModified": "2026-04-24T18:04:28.070", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 5.0, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "cna@vuldb.com", "type": "Secondary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "cna@vuldb.com", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "PASSIVE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "LOW", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "cna@vuldb.com", "type": "Secondary"}]}, "published": "2026-04-08T22:16:24.867", "references": [{"source": "cna@vuldb.com", "url": "https://gist.github.com/TrebledJ/ab83abb1ca7ff6c1f39e16a37020f323"}, {"source": "cna@vuldb.com", "url": "https://github.com/openstatusHQ/openstatus/"}, {"source": "cna@vuldb.com", "url": "https://github.com/openstatusHQ/openstatus/commit/43d9b2b9ef8ae1a98f9bdc8a9f86d6a3dfaa2dfb"}, {"source": "cna@vuldb.com", "url": "https://github.com/openstatusHQ/openstatus/pull/1981"}, {"source": "cna@vuldb.com", "url": "https://vuldb.com/submit/787321"}, {"source": "cna@vuldb.com", "url": "https://vuldb.com/vuln/356245"}, {"source": "cna@vuldb.com", "url": "https://vuldb.com/vuln/356245/cti"}], "sourceIdentifier": "cna@vuldb.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}, {"lang": "en", "value": "CWE-94"}], "source": "cna@vuldb.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "1b678e71a85961ae319cbb214a8eae634059330c"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "openstatus", "source": "cna", "vendor": "openstatusHQ"}, "product": "openstatus", "vendor": "openstatushq"}], "analysis": {"en": {"generated_at": "2026-04-08T22:25:14.632884+00:00", "value": {"mitigation_remediation": ["Apply the vendor patch corresponding to commit 43d9b2b9ef8ae1a98f9bdc8a9f86d6a3dfaa2dfb or upgrade to a release that includes this fix.", "If an immediate patch is unavailable, sanitise the callbackURL parameter on the client side and ensure it is rendered safely, escaping any script tags.", "Monitor application logs for suspicious script execution attempts and review user session activity for signs of compromise.", "Verify that no other components expose the callbackURL or similar unsanitized user\u2011controlled input."], "summary": {"action": "Apply Patch", "impact": "Cross Site Scripting"}, "threat_synthesis": {"affected_systems": "The affected product is openstatusHQ openstatus, all releases prior to the patched commit 43d9b2b9ef8ae1a98f9bdc8a9f86d6a3dfaa2dfb are vulnerable. Because the project follows a rolling\u2011release model, a specific version list is not provided; any instance running the code before that commit may be susceptible. The vulnerability resides in the client.tsx file of the onboarding endpoint, an unknown function within the dashboard sub\u2011module.", "description_and_impact": "The vulnerability allows an attacker to inject malicious script content via the callbackURL parameter in the Onboarding Endpoint component. This leads to a reflected cross\u2011site scripting condition, enabling an attacker to run arbitrary JavaScript in the victim's browser. The effect could compromise session data or perform phishing attacks, as the script runs with the privileges of the current user. The issue is identified as a classic reflected XSS (CWE\u201179) and also involves unsanitized code injection (CWE\u201194).", "risk_and_exploitability": "The CVSS score of 5.3 indicates moderate severity. EPSS data is not available, and the vulnerability is not listed in the CISA KEV catalog. Attackers can exploit the flaw remotely by tailoring the callbackURL argument, likely via a crafted URL or form submission. Mitigation requires applying the vendor patch or removing the vulnerable code path."}}}}, "created": "2026-04-09T08:16:33.594863+00:00", "updated": "2026-04-09T08:25:59.575196+00:00", "vendors": ["openstatushq", "openstatushq$PRODUCT$openstatus"]}