CVE-2026-40028

MEDIUM

Hayabusa < 3.8.0 XSS via JSON Log Import

Title source: cna

Description

Hayabusa versions prior to 3.8.0 contain a cross-site scripting (XSS) vulnerability in its HTML report output that allows an attacker to execute arbitrary JavaScript when a user scans JSON-exported logs containing malicious content in the Computer field. An attacker can inject JavaScript into the Computer field of JSON logs that executes in the forensic examiner's browser session when viewing the generated HTML report, leading to information disclosure or code execution.

References (3)

Core 3

Core References

Product product

Release Notes

https://github.com/Yamato-Security/hayabusa/releases/tag/v3.8.0

Vendor Advisory vendor-advisory

Mobasi Sentinel Vulnerability Index

https://mobasi.ai/sentinel

Third Party Advisory third-party-advisory

VulnCheck Advisory: Hayabusa < 3.8.0 XSS via JSON Log Import

https://www.vulncheck.com/advisories/hayabusa-xss-via-json-log-import

Scores

CVSS v3 5.4

EPSS 0.0020

EPSS Percentile 9.8%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-79

Status published

Products (3)

Yamato-Security/hayabusa < 3.7.0

yamato-security/hayabusa < 3.8.0

Yamato-Security/hayabusa 3.8.0

Published Apr 08, 2026

Tracked Since Apr 09, 2026