CVE-2026-5301 HIGH

CVE-2026-5301: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in coolercontrol-ui

Vendor Coolercontrol
Product coolercontrol-ui
Weakness CWE-79 · XSS
Published April 8, 2026
Last update April 8, 2026
View on NVD All CVEs

CVSS base score

7.6/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction Required
Confidentiality Low
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:L

What the vulnerability does

01Description

Stored XSS in log viewer in CoolerControl/coolercontrol-ui <4.0.0 allows unauthenticated attackers to take over the service via malicious JavaScript in poisoned log entries

Key dates

02Disclosure timeline

April 8, 2026 CVE published
April 8, 2026 Record updated

Related vulnerabilities

04Related CVE

CVE-2024-12221 Turnkey bbPress by WeaverTheme <= 1.6.3 - Reflected Cross-Site Scripting via _wpnonce Parameter CVE-2024-9211 FULL – Cliente <= 3.1.22 - Reflected Cross-Site Scripting CVE-2025-24735 WordPress Chatra Live Chat + ChatBot + Cart Saver plugin <= 1.0.11 - Cross Site Scripting (XSS) Vulnerability CVE-2025-64790 Adobe Experience Manager | Cross-site Scripting (Stored XSS) (CWE-79) CVE-2025-9442 StreamWeasels Kick Integration <= 1.1.5 - Authenticated (Contributor+) Stored Cross-Site Scripting via vodsChannel Parameter