Platform
javascript
Component
openstatus
Fixed in
1.0.1
CVE-2026-5808 is a cross-site scripting (XSS) vulnerability affecting openstatusHQ openstatus versions up to 1b678e71a85961ae319cbb214a8eae634059330c. This vulnerability allows an attacker to inject malicious scripts into the application, potentially leading to data theft or account takeover. The vulnerability resides within the Onboarding Endpoint's handling of the callbackURL argument. A patch, identified as 43d9b2b9ef8ae1a98f9bdc8a9f86d6a3dfaa2dfb, is available.
Successful exploitation of CVE-2026-5808 allows an attacker to execute arbitrary JavaScript code within the context of a user's browser session. This can lead to a variety of malicious actions, including stealing sensitive information like authentication tokens, redirecting users to phishing sites, or modifying the application's behavior. The remote nature of the vulnerability means an attacker doesn't need local access to the system to exploit it. Given openstatus's use in operational environments, a successful attack could compromise critical infrastructure data and disrupt operations. The impact is amplified if the application is used to manage sensitive data or control critical systems.
CVE-2026-5808 was publicly disclosed on 2026-04-08. The vulnerability is not currently listed on KEV or EPSS, suggesting a low to medium probability of active exploitation. No public proof-of-concept (PoC) code has been released at the time of writing. Monitor security advisories and threat intelligence feeds for any indications of exploitation.
Exploit Status
EPSS
0.04% (12% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2026-5808 is to upgrade to the patched version 43d9b2b9ef8ae1a98f9bdc8a9f86d6a3dfaa2dfb. Since openstatus operates on a rolling release basis, ensure your deployment is configured to automatically receive updates. As a temporary workaround, consider implementing strict input validation on the callbackURL parameter to prevent malicious input. While a WAF might offer some protection, it's unlikely to be sufficient without proper input validation. Monitor application logs for unusual activity, particularly requests containing suspicious URLs or JavaScript code.
Update to the patched version (43d9b2b9ef8ae1a98f9bdc8a9f86d6a3dfaa2dfb) to mitigate the Cross-Site Scripting (XSS) vulnerability in the onboarding endpoint. The update corrects the manipulation of the callbackURL argument that allowed for malicious code injection. Consult the vendor's documentation for detailed upgrade instructions.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-5808 is a cross-site scripting (XSS) vulnerability in openstatusHQ openstatus versions up to 1b678e71a85961ae319cbb214a8eae634059330c, allowing attackers to inject malicious scripts.
You are affected if you are using openstatusHQ openstatus versions prior to 43d9b2b9ef8ae1a98f9bdc8a9f86d6a3dfaa2dfb. Upgrade immediately.
Upgrade to version 43d9b2b9ef8ae1a98f9bdc8a9f86d6a3dfaa2dfb. Ensure your deployment is configured to automatically receive updates.
There are currently no confirmed reports of active exploitation, but it's crucial to apply the patch promptly to mitigate the risk.
Refer to the openstatusHQ security advisories page for the latest information and updates regarding CVE-2026-5808.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.