Platform
other
Component
dbdb
Fixed in
1.11.1
1.11.2
1.11.3
1.11.4
1.11.5
1.11.6
1.11.7
1.11.8
1.11.9
1.11.10
A cross-site scripting (XSS) vulnerability has been identified in QuestDB UI versions 1.11.0 through 1.11.9. This flaw affects an unknown function within the Web Console, allowing attackers to inject malicious scripts. Successful exploitation can lead to session hijacking or defacement. Upgrade to version 1.1.10 to mitigate this risk, with a patch identified as b42fd9f18476d844ae181a10a249e003dafb823d.
The XSS vulnerability in QuestDB UI allows an attacker to inject arbitrary JavaScript code into the Web Console. This code can then be executed in the context of a user's browser, potentially granting the attacker access to sensitive information such as session cookies or authentication tokens. With these credentials, an attacker could impersonate a legitimate user and perform actions on their behalf, including accessing and modifying data within the QuestDB database. The public availability of an exploit significantly increases the risk of exploitation, as attackers can readily leverage existing tools and techniques to target vulnerable systems.
A public proof-of-concept (PoC) for CVE-2026-0824 is available, indicating a relatively high probability of exploitation. The vulnerability was disclosed on 2026-01-10. While not currently listed on CISA KEV, the public availability of the exploit warrants close monitoring and prompt remediation. The low CVSS score reflects the potential for exploitation, but the ease of use of a public PoC elevates the risk.
Exploit Status
EPSS
0.06% (18% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2026-0824 is to upgrade QuestDB UI to version 1.1.10 or later. The vendor has confirmed that this fix will also be included in QuestDB 9.3.0. If an immediate upgrade is not feasible, consider implementing temporary workarounds such as strict input validation and output encoding within the Web Console to prevent the injection of malicious scripts. Web Application Firewalls (WAFs) configured to detect and block XSS payloads can also provide an additional layer of protection. After upgrading, confirm the fix by attempting to inject a simple XSS payload (e.g., <script>alert(1)</script>) into the Web Console and verifying that it is not executed.
Update questdb ui to version 1.1.10 or higher. The update corrects a Cross-Site Scripting (XSS) vulnerability in the web console. Alternatively, you can update to QuestDB 9.3.0, which also includes the fix.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-0824 is a cross-site scripting (XSS) vulnerability affecting QuestDB UI versions 1.11.0 through 1.11.9, allowing attackers to inject malicious scripts.
If you are running QuestDB UI versions 1.11.0–1.11.9, you are potentially affected by this vulnerability. Upgrade immediately.
Upgrade QuestDB UI to version 1.1.10 or later. The fix will also be included in QuestDB 9.3.0.
A public proof-of-concept is available, indicating a high probability of active exploitation.
Refer to the QuestDB security advisory for detailed information and updates: [https://questdb.io/docs/security/advisories](https://questdb.io/docs/security/advisories)
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.