CVE-2022-50942 MEDIUM

CVE-2022-50942: Incinga Web 2.8.2 Client-Side Cross-Site Scripting via EventListener

Vendor Incinga

Product Incinga Web

Weakness CWE-79 · XSS

Published February 1, 2026

Last update February 3, 2026

View on NVD All CVEs

CVSS base score

4.8/10

Attack vector Network

Attack complexity Low

Privileges required Low

User interaction —

Confidentiality —

Integrity —

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N

What the vulnerability does

01Description

Incinga Web 2.8.2 contains a client-side cross-site scripting vulnerability that allows remote attackers to inject malicious script codes through the icinga.min.js file. Attackers can exploit the EventListener.handleEvent method to execute arbitrary scripts, potentially leading to session hijacking and non-persistent phishing attacks.

Key dates

02Disclosure timeline

February 1, 2026 CVE published

February 3, 2026 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2022-50942 CWE — Common Weakness Enumeration https://cwe.mitre.org/data/definitions/79.html

Related vulnerabilities

04Related CVE

CVE-2024-33955 WordPress Freesia Empire theme <= 1.4.1 - Cross Site Scripting (XSS) vulnerability CVE-2025-69018 WordPress Web Directory Free plugin <= 1.7.12 - Cross Site Scripting (XSS) vulnerability CVE-2026-31379 Apache OFBiz: Path Traversal and File Upload Validation Bypass Leading to Arbitrary File Write, Stored XSS and RCE in Catalog Manager CVE-2025-9442 StreamWeasels Kick Integration <= 1.1.5 - Authenticated (Contributor+) Stored Cross-Site Scripting via vodsChannel Parameter CVE-2025-10551 Stored Cross-site Scripting (XSS) vulnerability affecting Document Management in ENOVIA Collaborative Industry Innovator from Release 3DEXPERIENCE R2023x through Release 3DEXPERIENCE R2025x