CVE-2026-44541

HIGH

Fides fides.js - DOM-Based Cross-Site Scripting via fides_description

Title source: manual

Description

Fides is an open-source privacy engineering platform. From version 2.33.0 to before version 2.84.5, there is a DOM-based XSS vulnerability in fides.js via the fides_description override. This issue has been patched in version 2.84.5.

References (3)

Core 3

Core References

X_Refsource_Confirm x_refsource_confirm

https://github.com/ethyca/fides/security/advisories/GHSA-5qrq-9645-g5g2

X_Refsource_Misc x_refsource_misc

https://github.com/ethyca/fides/commit/67e43b10b1096c7f84d5c0eeba08ee3b7846b7cd

View Writeup ZIP pw:eip

X_Refsource_Misc x_refsource_misc

https://github.com/ethyca/fides/releases/tag/2.84.5

Scores

CVSS v4 7.0

EPSS 0.0030

EPSS Percentile 21.1%

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact partial

Details

CWE

CWE-79

Status published

Products (2)

ethyca/fides >= 2.33.0, < 2.84.5

pypi/ethyca-fides 2.33.0 - 2.84.5PyPI

Published Jun 08, 2026

Tracked Since Jun 09, 2026