CVE-2026-40028 MEDIUM

CVE-2026-40028: Hayabusa < 3.8.0 XSS via JSON Log Import

Vendor Yamato-Security

Product hayabusa

Weakness CWE-79 · XSS

Published April 8, 2026

Last update April 11, 2026

View on NVD All CVEs

CVSS base score

5.1/10

Attack vector Network

Attack complexity Low

Privileges required Low

User interaction —

Confidentiality —

Integrity —

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N

What the vulnerability does

01Description

Hayabusa versions prior to 3.8.0 contain a cross-site scripting (XSS) vulnerability in its HTML report output that allows an attacker to execute arbitrary JavaScript when a user scans JSON-exported logs containing malicious content in the Computer field. An attacker can inject JavaScript into the Computer field of JSON logs that executes in the forensic examiner's browser session when viewing the generated HTML report, leading to information disclosure or code execution.

Key dates

02Disclosure timeline

April 8, 2026 CVE published

April 11, 2026 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2026-40028

Related vulnerabilities

CVE-2026-40028: Hayabusa < 3.8.0 XSS via JSON Log Import

01Description

02Disclosure timeline

03References

04Related CVE