Plataforma
other
Componente
dbdb
Corrigido em
1.11.1
1.11.2
1.11.3
1.11.4
1.11.5
1.11.6
1.11.7
1.11.8
1.11.9
1.11.10
A cross-site scripting (XSS) vulnerability has been identified in QuestDB UI versions 1.11.0 through 1.11.9. This flaw affects an unknown function within the Web Console, allowing attackers to inject malicious scripts. Successful exploitation can lead to session hijacking or defacement. Upgrade to version 1.1.10 to mitigate this risk, with a patch identified as b42fd9f18476d844ae181a10a249e003dafb823d.
The XSS vulnerability in QuestDB UI allows an attacker to inject arbitrary JavaScript code into the Web Console. This code can then be executed in the context of a user's browser, potentially granting the attacker access to sensitive information such as session cookies or authentication tokens. With these credentials, an attacker could impersonate a legitimate user and perform actions on their behalf, including accessing and modifying data within the QuestDB database. The public availability of an exploit significantly increases the risk of exploitation, as attackers can readily leverage existing tools and techniques to target vulnerable systems.
A public proof-of-concept (PoC) for CVE-2026-0824 is available, indicating a relatively high probability of exploitation. The vulnerability was disclosed on 2026-01-10. While not currently listed on CISA KEV, the public availability of the exploit warrants close monitoring and prompt remediation. The low CVSS score reflects the potential for exploitation, but the ease of use of a public PoC elevates the risk.
Organizations utilizing QuestDB UI in production environments, particularly those running versions 1.11.0 through 1.11.9, are at risk. Shared hosting environments where multiple users share the same QuestDB instance are especially vulnerable, as an attacker could potentially compromise the entire system through a single user's session.
• generic web: Use curl to test for XSS vulnerabilities in the Web Console. Try injecting <script>alert(1)</script> into various input fields and observe the response.
curl -X POST -d '<script>alert(1)</script>' <web_console_url>• generic web: Examine access and error logs for suspicious patterns related to script injection attempts. • generic web: Review response headers for any unusual content or modifications that might indicate XSS activity.
disclosure
poc
patch
Status do Exploit
EPSS
0.06% (percentil 18%)
CISA SSVC
Vetor CVSS
The primary mitigation for CVE-2026-0824 is to upgrade QuestDB UI to version 1.1.10 or later. The vendor has confirmed that this fix will also be included in QuestDB 9.3.0. If an immediate upgrade is not feasible, consider implementing temporary workarounds such as strict input validation and output encoding within the Web Console to prevent the injection of malicious scripts. Web Application Firewalls (WAFs) configured to detect and block XSS payloads can also provide an additional layer of protection. After upgrading, confirm the fix by attempting to inject a simple XSS payload (e.g., <script>alert(1)</script>) into the Web Console and verifying that it is not executed.
Atualize questdb ui para a versão 1.1.10 ou superior. A atualização corrige uma vulnerabilidade de Cross-Site Scripting (XSS) na console web. Alternativamente, você pode atualizar para o QuestDB 9.3.0, que também inclui a correção.
Análise de vulnerabilidades e alertas críticos diretamente no seu e-mail.
CVE-2026-0824 is a cross-site scripting (XSS) vulnerability affecting QuestDB UI versions 1.11.0 through 1.11.9, allowing attackers to inject malicious scripts.
If you are running QuestDB UI versions 1.11.0–1.11.9, you are potentially affected by this vulnerability. Upgrade immediately.
Upgrade QuestDB UI to version 1.1.10 or later. The fix will also be included in QuestDB 9.3.0.
A public proof-of-concept is available, indicating a high probability of active exploitation.
Refer to the QuestDB security advisory for detailed information and updates: [https://questdb.io/docs/security/advisories](https://questdb.io/docs/security/advisories)
Envie seu arquivo de dependências e descubra na hora se esta e outras CVEs te atingem.