プラットフォーム
go
コンポーネント
github.com/casdoor/casdoor
修正版
2.356.1
1.1000.1
A cross-site scripting (XSS) vulnerability has been identified in Casdoor versions up to 1.1000.0. This flaw resides within the dangerouslySetInnerHTML function, allowing attackers to inject malicious scripts by manipulating the formCss, formCssMobile, or formSideHtml arguments. The vulnerability can be exploited remotely and a public proof-of-concept is available, posing a significant risk to deployments. A fix is expected from the vendor.
Successful exploitation of CVE-2026-5468 allows an attacker to inject arbitrary JavaScript code into a user's browser session within the Casdoor application. This can lead to a variety of malicious actions, including session hijacking, credential theft, and defacement of the application's user interface. The attacker could potentially gain access to sensitive user data or compromise the entire Casdoor instance, depending on the privileges of the affected user. The availability of a public exploit significantly increases the likelihood of widespread exploitation.
CVE-2026-5468 has been publicly disclosed and a proof-of-concept exploit is available, indicating a high probability of exploitation. The vulnerability was reported on 2026-04-03. The vendor was contacted but did not respond. The vulnerability is not currently listed on CISA KEV, but its public nature warrants close monitoring.
Organizations utilizing Casdoor for authentication and authorization, particularly those relying on custom themes or configurations that leverage the dangerouslySetInnerHTML function, are at risk. Shared hosting environments where multiple applications share the same Casdoor instance are also vulnerable, as a compromise of one application could potentially impact others.
• go / server:
find /var/log/casdoor -type f -name '*.log' | grep -i 'dangerouslySetInnerHTML'• generic web:
curl -I <casdoor_url>/ | grep -i 'content-security-policy'disclosure
エクスプロイト状況
EPSS
0.03% (7% パーセンタイル)
CISA SSVC
CVSS ベクトル
The primary mitigation for CVE-2026-5468 is to upgrade to a patched version of Casdoor. Unfortunately, a specific fixed version is not yet available. Until a patch is released, consider implementing input validation and sanitization on the formCss, formCssMobile, and formSideHtml parameters to prevent malicious code injection. Web application firewalls (WAFs) configured to detect and block XSS payloads can provide an additional layer of defense. Monitor Casdoor logs for suspicious activity, particularly related to user input and rendering of HTML content.
Actualizar Casdoor a una versión posterior a la 2.356.0 que corrija la vulnerabilidad de Cross-Site Scripting (XSS) en la función dangerouslySetInnerHTML. Dado que no hay una versión específica mencionada como corregida, se recomienda contactar al proveedor para obtener una versión actualizada o aplicar un parche que mitigue la vulnerabilidad.
脆弱性分析と重要アラートをメールでお届けします。
CVE-2026-5468 is a cross-site scripting (XSS) vulnerability in Casdoor versions up to 1.1000.0, affecting the dangerouslySetInnerHTML function and allowing remote code execution.
You are affected if you are using Casdoor versions 1.1000.0 or earlier. The vulnerability allows remote exploitation via manipulation of HTML parameters.
Upgrade to a patched version of Casdoor as soon as it becomes available. Until then, implement input validation and sanitization and consider WAF rules.
A public proof-of-concept exploit exists, indicating a high probability of active exploitation. Monitor your Casdoor instance closely.
Check the Casdoor GitHub repository and official documentation for updates and security advisories regarding CVE-2026-5468.
go.mod ファイルをアップロードすると、影響の有無を即座にお知らせします。