1.11.2
1.11.3
1.11.4
1.11.5
1.11.6
1.11.7
1.11.8
1.11.9
1.11.10
A cross-site scripting (XSS) vulnerability has been identified in QuestDB UI versions 1.11.0 through 1.11.9. This flaw affects an unknown function within the Web Console, allowing attackers to inject malicious scripts. Successful exploitation can lead to session hijacking or defacement. Upgrade to version 1.1.10 to mitigate this risk, with a patch identified as b42fd9f18476d844ae181a10a249e003dafb823d.
The XSS vulnerability in QuestDB UI allows an attacker to inject arbitrary JavaScript code into the Web Console. This code can then be executed in the context of a user's browser, potentially granting the attacker access to sensitive information such as session cookies or authentication tokens. With these credentials, an attacker could impersonate a legitimate user and perform actions on their behalf, including accessing and modifying data within the QuestDB database. The public availability of an exploit significantly increases the risk of exploitation, as attackers can readily leverage existing tools and techniques to target vulnerable systems.
A public proof-of-concept (PoC) for CVE-2026-0824 is available, indicating a relatively high probability of exploitation. The vulnerability was disclosed on 2026-01-10. While not currently listed on CISA KEV, the public availability of the exploit warrants close monitoring and prompt remediation. The low CVSS score reflects the potential for exploitation, but the ease of use of a public PoC elevates the risk.
Organizations utilizing QuestDB UI in production environments, particularly those running versions 1.11.0 through 1.11.9, are at risk. Shared hosting environments where multiple users share the same QuestDB instance are especially vulnerable, as an attacker could potentially compromise the entire system through a single user's session.
• generic web: Use curl to test for XSS vulnerabilities in the Web Console. Try injecting <script>alert(1)</script> into various input fields and observe the response.
curl -X POST -d '<script>alert(1)</script>' <web_console_url>• generic web: Examine access and error logs for suspicious patterns related to script injection attempts. • generic web: Review response headers for any unusual content or modifications that might indicate XSS activity.
disclosure
poc
patch
漏洞利用状态
EPSS
0.06% (18% 百分位)
CISA SSVC
CVSS 向量
The primary mitigation for CVE-2026-0824 is to upgrade QuestDB UI to version 1.1.10 or later. The vendor has confirmed that this fix will also be included in QuestDB 9.3.0. If an immediate upgrade is not feasible, consider implementing temporary workarounds such as strict input validation and output encoding within the Web Console to prevent the injection of malicious scripts. Web Application Firewalls (WAFs) configured to detect and block XSS payloads can also provide an additional layer of protection. After upgrading, confirm the fix by attempting to inject a simple XSS payload (e.g., <script>alert(1)</script>) into the Web Console and verifying that it is not executed.
将 questdb ui 升级到 1.1.10 或更高版本。该更新修复了 Web Console 中的跨站脚本 (XSS) 漏洞。或者,您可以升级到 QuestDB 9.3.0,其中也包含此修复。
漏洞分析和关键警报直接发送到您的邮箱。
CVE-2026-0824 is a cross-site scripting (XSS) vulnerability affecting QuestDB UI versions 1.11.0 through 1.11.9, allowing attackers to inject malicious scripts.
If you are running QuestDB UI versions 1.11.0–1.11.9, you are potentially affected by this vulnerability. Upgrade immediately.
Upgrade QuestDB UI to version 1.1.10 or later. The fix will also be included in QuestDB 9.3.0.
A public proof-of-concept is available, indicating a high probability of active exploitation.
Refer to the QuestDB security advisory for detailed information and updates: [https://questdb.io/docs/security/advisories](https://questdb.io/docs/security/advisories)
上传你的依赖文件,立即了解此CVE和其他CVE是否影响你。