Description
ArangoDB Community Edition 3.4.2-1 contains multiple cross-site scripting vulnerabilities in the Aardvark web admin interface (index.html) through search, user management, and API parameters. Attackers can inject scripts via parameters in /_db/_system/_admin/aardvark/index.html to execute JavaScript in authenticated users' browsers.
Exploits (1)
References (3)
Core 3
Core References
Exploit, Third Party Advisory exploit
https://www.exploit-db.com/exploits/46407
Various Sources product
https://www.arangodb.com
Third Party Advisory third-party-advisory
https://www.vulncheck.com/advisories/arangodb-community-edition-xss-via-aardvark-admin
Scores
CVSS v3
5.4
EPSS
0.0004
EPSS Percentile
11.5%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
no
Technical Impact
partial
Details
CWE
CWE-79
Status
published
Products (1)
Arangodb/ArangoDB Community Edition
3.4.2-1
Published
Feb 15, 2026
Tracked Since
Feb 18, 2026