Guy Boldon - Security Researcher - Exploit Intelligence Platform

CVE-2026-5301 WRITEUP HIGH WRITEUP

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in coolercontrol-ui

Stored XSS in log viewer in CoolerControl/coolercontrol-ui <4.0.0 allows unauthenticated attackers to take over the service via malicious JavaScript in poisoned log entries

CVSS 7.6

View Code

CVE-2026-5300 WRITEUP MEDIUM WRITEUP

Missing Authentication for Critical Function in coolercontrold

Unauthenticated functionality in CoolerControl/coolercontrold <4.0.0 allows unauthenticated attackers to view and modify potentially sensitive data via HTTP requests

CVSS 5.9

View Code

CVE-2026-5301 WRITEUP HIGH WRITEUP

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in coolercontrol-ui

Stored XSS in log viewer in CoolerControl/coolercontrol-ui <4.0.0 allows unauthenticated attackers to take over the service via malicious JavaScript in poisoned log entries

CVSS 7.6

View Code

CVE-2026-5302 WRITEUP MEDIUM WRITEUP

Permissive Cross-domain Policy with Untrusted Domains in coolercontrold

CORS misconfiguration in CoolerControl/coolercontrold <4.0.0 allows unauthenticated remote attackers to read data and send commands to the service via malicious websites

CVSS 6.3

View Code

CVE-2026-5208 WRITEUP HIGH WRITEUP

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in coolercontrold

Command injection in alerts in CoolerControl/coolercontrold <4.0.0 allows authenticated attackers to execute arbitrary code as root via injected bash commands in alert names

CVSS 8.2

View Code