CVE-2026-5808

MEDIUM

openstatusHQ openstatus Onboarding Endpoint client.tsx cross site scripting

Title source: cna
STIX 2.1

Description

A vulnerability was detected in openstatusHQ openstatus up to 1b678e71a85961ae319cbb214a8eae634059330c. This impacts an unknown function of the file apps/dashboard/src/app/(dashboard)/onboarding/client.tsx of the component Onboarding Endpoint. The manipulation of the argument callbackURL results in cross site scripting. The attack may be launched remotely. This product operates on a rolling release basis, ensuring continuous delivery. Consequently, there are no version details for either affected or updated releases. The patch is identified as 43d9b2b9ef8ae1a98f9bdc8a9f86d6a3dfaa2dfb. It is advisable to implement a patch to correct this issue. The vendor was contacted early, responded in a very professional manner and quickly released a fixed version of the affected product.

References (7)

Core 7
Core References
Vdb Entry, Technical Description vdb-entry technical-description
VDB-356245 | openstatusHQ openstatus Onboarding Endpoint client.tsx cross site scripting
https://vuldb.com/vuln/356245
Signature, Permissions Required signature permissions-required
VDB-356245 | CTI Indicators (IOB, IOC, TTP, IOA)
https://vuldb.com/vuln/356245/cti
Third Party Advisory third-party-advisory
Submit #787321 | OpenStatus HQ OpenStatus 20260314 DOM-Based XSS, Open Redirect
https://vuldb.com/submit/787321

Scores

CVSS v3 4.3
EPSS 0.0028
EPSS Percentile 19.7%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

CISA SSVC

Vulnrichment
Exploitation none
Automatable no
Technical Impact partial

Details

CWE
CWE-79 CWE-94
Status published
Products (1)
openstatusHQ/openstatus 1b678e71a85961ae319cbb214a8eae634059330c
Published Apr 08, 2026
Tracked Since Apr 09, 2026