4.0.0
CVE-2026-5301 describes a stored Cross-Site Scripting (XSS) vulnerability discovered in coolercontrol-ui, a Vue.js-based user interface. This vulnerability allows unauthenticated attackers to inject malicious JavaScript code into the system through poisoned log entries, potentially leading to account takeover and other malicious actions. The vulnerability impacts versions 2.0.0 through 4.0.0 of coolercontrol-ui, and a fix is available in version 4.0.0.
The impact of this XSS vulnerability is significant. An attacker can inject arbitrary JavaScript code into the log viewer, which will be executed in the context of the user's browser. This allows the attacker to steal session cookies, redirect users to malicious websites, deface the application, or even execute arbitrary code on the server if the user has sufficient privileges. The attack surface is broad, as any unauthenticated user can potentially inject malicious log entries. Successful exploitation could lead to complete compromise of the coolercontrol-ui instance and potentially the underlying system if the UI is integrated with other critical services.
CVE-2026-5301 was publicly disclosed on 2026-04-08. No public proof-of-concept (POC) code has been released at the time of writing, but the vulnerability's nature makes it likely that a POC will emerge. The vulnerability is not currently listed on the CISA KEV catalog. The ease of exploitation, combined with the potential impact, suggests a medium probability of exploitation.
Organizations using coolercontrol-ui in production environments, particularly those with publicly accessible log viewers, are at risk. Shared hosting environments where multiple users share the same coolercontrol-ui instance are also particularly vulnerable, as an attacker could potentially inject malicious log entries that affect other users.
• vue / generic web:
curl -s 'http://<coolercontrol-ui-url>/log' | grep -i '<script>' • vue / generic web:
curl -s 'http://<coolercontrol-ui-url>/log' | grep -i 'onerror='• vue / generic web:
curl -s 'http://<coolercontrol-ui-url>/log' | grep -i 'javascript:'disclosure
漏洞利用状态
EPSS
0.02% (6% 百分位)
CISA SSVC
CVSS 向量
The primary mitigation for CVE-2026-5301 is to upgrade to version 4.0.0 of coolercontrol-ui, which contains the fix. If upgrading immediately is not possible, consider implementing input sanitization and output encoding on all user-supplied data displayed in the log viewer. Specifically, ensure that all log entries are properly escaped before being rendered in the browser. Web Application Firewalls (WAFs) configured to detect and block XSS payloads can also provide a temporary layer of protection. Review and harden the application's security configuration to minimize the attack surface.
Actualice a la versión 4.0.0 o superior para mitigar la vulnerabilidad de XSS. Esta actualización corrige la falta de neutralización adecuada de la entrada durante la generación de la página web, previniendo la inyección de código JavaScript malicioso en las entradas del visor de registros.
漏洞分析和关键警报直接发送到您的邮箱。
CVE-2026-5301 is a stored Cross-Site Scripting (XSS) vulnerability in coolercontrol-ui versions 2.0.0–4.0.0 that allows attackers to inject malicious JavaScript via poisoned log entries.
You are affected if you are running coolercontrol-ui versions 2.0.0 through 4.0.0 and have not yet upgraded to version 4.0.0.
Upgrade to version 4.0.0 of coolercontrol-ui. As a temporary mitigation, implement input sanitization and output encoding on all user-supplied data displayed in the log viewer.
While no active exploitation has been confirmed, the vulnerability's nature makes it likely that it will be exploited, and a POC is expected to be released.
Refer to the coolercontrol-ui project's repository or website for the official advisory and release notes regarding CVE-2026-5301.
上传你的依赖文件,立即了解此CVE和其他CVE是否影响你。