CVE-2024-26135 HIGH

CVE-2024-26135: MeshCentral cross-site websocket hijacking (CSWSH) vulnerability

Vendor Ylianst
Product MeshCentral
Weakness CWE-346 · Origin validation
Published February 20, 2024
Last update April 22, 2025

CVSS base score

8.4/10
Attack vector Network
Attack complexity High
Privileges required None
User interaction Required
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H

What the vulnerability does

01Description

MeshCentral is a full computer management web site. Versions prior to 1.1.21 a cross-site websocket hijacking (CSWSH) vulnerability within the control.ashx endpoint. This component is the primary mechanism used within MeshCentral to perform administrative actions on the server. The vulnerability is exploitable when an attacker is able to convince a victim end-user to click on a malicious link to a page hosting an attacker-controlled site. The attacker can then originate a cross-site websocket connection using client-side JavaScript code to connect to `control.ashx` as the victim user within MeshCentral. Version 1.1.21 contains a patch for this issue.

Key dates

02Disclosure timeline

February 20, 2024 CVE published
April 22, 2025 Record updated