Plattform
vue
Komponente
coolercontrol-ui
Behoben in
4.0.0
CVE-2026-5301 describes a stored Cross-Site Scripting (XSS) vulnerability discovered in coolercontrol-ui, a Vue.js-based user interface. This vulnerability allows unauthenticated attackers to inject malicious JavaScript code into the system through poisoned log entries, potentially leading to account takeover and other malicious actions. The vulnerability impacts versions 2.0.0 through 4.0.0 of coolercontrol-ui, and a fix is available in version 4.0.0.
The impact of this XSS vulnerability is significant, as it allows an attacker to execute arbitrary JavaScript code within the context of a user's browser session. This can lead to the theft of sensitive information, such as session cookies, authentication tokens, and personally identifiable information (PII). Attackers could also use this vulnerability to redirect users to malicious websites, deface the application, or perform other actions on behalf of the user. The lack of authentication requirement means that any user can trigger this vulnerability by injecting malicious code into a log entry, expanding the potential attack surface.
CVE-2026-5301 was publicly disclosed on 2026-04-08. Currently, there are no known public exploits or active campaigns targeting this vulnerability. The CVSS score of 7.6 (HIGH) indicates a significant risk, and it is recommended to prioritize remediation efforts. This vulnerability is not currently listed on the CISA KEV catalog.
Organizations using coolercontrol-ui in production environments, particularly those with publicly accessible log viewers, are at risk. Shared hosting environments where multiple users share the same coolercontrol-ui instance are also particularly vulnerable, as an attacker could potentially inject malicious log entries that affect other users.
• vue / generic web:
curl -s 'http://<coolercontrol-ui-url>/log' | grep -i '<script>' • vue / generic web:
curl -s 'http://<coolercontrol-ui-url>/log' | grep -i 'onerror='• vue / generic web:
curl -s 'http://<coolercontrol-ui-url>/log' | grep -i 'javascript:'disclosure
Exploit-Status
EPSS
0.02% (6% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation for CVE-2026-5301 is to upgrade coolercontrol-ui to version 4.0.0 or later, which contains the fix for this vulnerability. As an immediate workaround, implement strict input sanitization and output encoding on all user-supplied data that is displayed in the log viewer. This can help prevent the execution of malicious JavaScript code. Consider using a Web Application Firewall (WAF) to filter out potentially malicious requests. Regularly review and update your security policies and procedures to ensure that they are aligned with industry best practices.
Actualice a la versión 4.0.0 o superior para mitigar la vulnerabilidad de XSS. Esta actualización corrige la falta de neutralización adecuada de la entrada durante la generación de la página web, previniendo la inyección de código JavaScript malicioso en las entradas del visor de registros.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2026-5301 is a stored Cross-Site Scripting (XSS) vulnerability in coolercontrol-ui versions 2.0.0–4.0.0 that allows attackers to inject malicious JavaScript via poisoned log entries.
You are affected if you are running coolercontrol-ui versions 2.0.0 through 4.0.0 and have not yet upgraded to version 4.0.0.
Upgrade to version 4.0.0 of coolercontrol-ui. As a temporary mitigation, implement input sanitization and output encoding on all user-supplied data displayed in the log viewer.
While no active exploitation has been confirmed, the vulnerability's nature makes it likely that it will be exploited, and a POC is expected to be released.
Refer to the coolercontrol-ui project's repository or website for the official advisory and release notes regarding CVE-2026-5301.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.