LOWCVE-2024-47826CVSS 3.5

CVE-2024-47826: XSS in eLabFTW ≤ 5.1.5

Q: What is CVE-2024-47826 — XSS in eLabFTW ≤ 5.1.5?

CVE-2024-47826 is a Cross-Site Scripting (XSS) vulnerability in eLabFTW versions up to 5.1.5, allowing attackers to inject HTML into specific pages.

Q: Am I affected by CVE-2024-47826 in eLabFTW?

You are affected if you are using eLabFTW version 5.1.5 or earlier. Upgrade to 5.1.5 to resolve the vulnerability.

Q: How do I fix CVE-2024-47826 in eLabFTW?

Upgrade eLabFTW to version 5.1.5 or later. Consider input validation and WAF rules as temporary mitigations.

Q: Is CVE-2024-47826 being actively exploited?

There is currently no evidence of active exploitation, but the vulnerability is relatively easy to exploit.

Q: Where can I find the official eLabFTW advisory for CVE-2024-47826?

Refer to the eLabFTW project's official website or security advisories for the latest information.

Platform

php

Component

elabftw

Fixed in

5.1.6

AI Confidence: highNVDEPSS 0.4%Reviewed: May 2026

View on NVD

Save

CVE-2024-47826 describes a Cross-Site Scripting (XSS) vulnerability affecting eLabFTW versions prior to 5.1.5. This flaw allows attackers to inject arbitrary HTML tags into specific pages within the application, potentially leading to information disclosure or defacement. The vulnerability impacts the "experiments.php" (show mode), "database.php" (show mode), and "search.php" pages. A fix is available in version 5.1.5.

Impact and Attack Scenarios

An attacker can exploit this XSS vulnerability by crafting a malicious HTML payload and injecting it into the extended search string within the affected pages. When a user views the page containing the injected HTML, their browser will execute the malicious code. While the vulnerability description notes that arbitrary JavaScript execution is not possible due to security measures, the injected HTML can still be used for various malicious purposes, such as displaying misleading information, redirecting users to phishing sites, or stealing sensitive data through cross-site scripting techniques. The blast radius is limited to users accessing the affected pages, but the impact can be significant depending on the attacker's goals.

Exploitation Context

CVE-2024-47826 was publicly disclosed on 2024-10-14. There is no indication of active exploitation or inclusion in the CISA KEV catalog at the time of writing. Public proof-of-concept (POC) code is not widely available, but the vulnerability's nature makes it relatively easy to exploit given access to the affected pages.

Threat Intelligence

Exploit Status

Proof of ConceptUnknown

CISA KEVNO

Internet ExposureHigh

EPSS

0.38% (59% percentile)

CISA SSVC

Exploitationnone

Automatableno

Technical Impactpartial

CVSS Vector

Affected Software

Componentelabftw

Vendorelabftw

Affected rangeFixed in

< 5.1.5 – < 5.1.55.1.6

Weakness Classification (CWE)

CWE-79 CWE-94

Timeline

Reserved2024-10-03
Published2024-10-14
Modified2024-10-15
EPSS updated2026-04-02

Mitigation and Workarounds

The primary mitigation for CVE-2024-47826 is to upgrade eLabFTW to version 5.1.5 or later, which contains the fix for this vulnerability. If upgrading is not immediately feasible, consider implementing input validation and sanitization on the extended search string to prevent the injection of malicious HTML. Web Application Firewalls (WAFs) can also be configured to filter out potentially malicious requests containing HTML tags in the search parameters. Regularly review and update your security policies and procedures to address potential XSS vulnerabilities.

How to fix

Update eLabFTW to version 5.1.5 or higher. This version contains a fix for the HTML injection vulnerability. The update can be performed through the software's usual update channels.

CVE Security Newsletter

Vulnerability analysis and critical alerts directly to your inbox.

Frequently asked questions

What is CVE-2024-47826 — XSS in eLabFTW ≤ 5.1.5?