CVE-2026-42224 HIGH

CVE-2026-42224: ipl/web is vulnerable to reflected XSS by malformed search requests

Vendor Icinga
Product ipl-web
Weakness CWE-79 · XSS
Published May 8, 2026
Last update June 9, 2026

CVSS base score

7.6/10
Attack vector Network
Attack complexity High
Privileges required High
User interaction Required
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:H/I:H/A:H

What the vulnerability does

01Description

ipl/web is a set of common web components for php projects. Prior to versions 0.13.1 and 0.10.3, the vulnerability allows an attacker to inject malicious Javascript into a victim's browser to run it in the context of Icinga Web. The victim needs to visit a specifically prepared website and may have no immediate chance to notice any wrongdoing. This issue has been patched in versions 0.13.1 and 0.10.3.

Key dates

02Disclosure timeline

May 8, 2026 CVE published
June 9, 2026 Record updated