Description
A security flaw has been discovered in questdb ui up to 1.11.9. Impacted is an unknown function of the component Web Console. The manipulation results in cross site scripting. The attack can be executed remotely. The exploit has been released to the public and may be used for attacks. Upgrading to version 1.1.10 is recommended to address this issue. The patch is identified as b42fd9f18476d844ae181a10a249e003dafb823d. You should upgrade the affected component. The vendor confirmed early that the fix "is going to be released as a part of QuestDB 9.3.0" as well.
References (9)
Core 9
Core References
Permissions Required, VDB Entry vdb-entry
technical-description
https://vuldb.com/?id.340357
Permissions Required, VDB Entry signature
permissions-required
https://vuldb.com/?ctiid.340357
Permissions Required, VDB Entry third-party-advisory
https://vuldb.com/?submit.733253
Various Sources related
https://github.com/59lab/dbdb/blob/main/There%20is%20a%20cross-site%20scripting(XSS)%20vulnerability%20in%20the%20QuestDB%20database.md
Various Sources product
https://github.com/questdb/ui/
Issue Tracking exploit
issue-tracking
https://github.com/questdb/ui/pull/519#issue-3790862030
Issue Tracking issue-tracking
patch
https://github.com/questdb/ui/pull/518
Release Notes patch
https://github.com/questdb/questdb/releases/tag/9.3.0
Scores
CVSS v3
3.5
EPSS
0.0006
EPSS Percentile
18.4%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
no
Technical Impact
partial
Details
CWE
CWE-79
CWE-94
Status
published
Products (12)
questdb/ui
1.1.10
questdb/ui
1.11.0
questdb/ui
1.11.1
questdb/ui
1.11.2
questdb/ui
1.11.3
questdb/ui
1.11.4
questdb/ui
1.11.5
questdb/ui
1.11.6
questdb/ui
1.11.7
questdb/ui
1.11.8
... and 2 more
Published
Jan 10, 2026
Tracked Since
Feb 18, 2026