CVE-2026-42224

HIGH

Icinga ipl/web < 0.13.1 - Reflected Cross-Site Scripting

Title source: manual

Description

ipl/web is a set of common web components for php projects. Prior to versions 0.13.1 and 0.10.3, the vulnerability allows an attacker to inject malicious Javascript into a victim's browser to run it in the context of Icinga Web. The victim needs to visit a specifically prepared website and may have no immediate chance to notice any wrongdoing. This issue has been patched in versions 0.13.1 and 0.10.3.

References (4)

Core 4

Core References

X_Refsource_Misc x_refsource_misc

https://github.com/Icinga/ipl-web/releases/tag/v0.10.3

X_Refsource_Confirm x_refsource_confirm

https://github.com/Icinga/ipl-web/security/advisories/GHSA-55wf-5m3q-6jjf

X_Refsource_Misc x_refsource_misc

https://github.com/Icinga/ipl-web/commit/f387e92504d7a03bb857d1aee9b7410e06dd065d

View Writeup ZIP pw:eip

X_Refsource_Misc x_refsource_misc

https://github.com/Icinga/ipl-web/releases/tag/v0.13.1

Scores

CVSS v3 7.6

EPSS 0.0026

EPSS Percentile 17.0%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact total

Details

CWE

CWE-79

Status published

Products (5)

Icinga/ipl-web < 0.10.3

Icinga/ipl-web < 0.13.1

Icinga/ipl-web >= 0.11.0, < 0.13.1

ipl/web 0 - 0.10.3Packagist

ipl/web 0.11.0 - 0.13.1Packagist

Published May 08, 2026

Tracked Since May 09, 2026