CVE-2026-33061

{"id": "CVE-2026-33061", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.8, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "HIGH", "confidentialityImpact": "HIGH"}, "impactScore": 5.2, "exploitabilityScore": 0.6}, {"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 5.4, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}, "impactScore": 2.7, "exploitabilityScore": 2.3}]}, "published": "2026-03-20T08:16:12.090", "references": [{"url": "https://github.com/Jexactyl/Jexactyl/commit/e28edb204e80efab628d1241198ea4f079779cfd", "tags": ["Patch"], "source": "security-advisories@github.com"}, {"url": "https://github.com/Jexactyl/Jexactyl/security/advisories/GHSA-6xgw-mmmv-57h2", "tags": ["Exploit", "Vendor Advisory"], "source": "security-advisories@github.com"}, {"url": "https://github.com/Jexactyl/Jexactyl/security/advisories/GHSA-6xgw-mmmv-57h2", "tags": ["Exploit", "Vendor Advisory"], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-79"}]}], "descriptions": [{"lang": "en", "value": "Jexactyl is a customisable game management panel and billing system. Commits after 025e8dbb0daaa04054276bda814d922cf4af58da and before e28edb204e80efab628d1241198ea4f079779cfd inject server-side objects into client-side JavaScript through resources/views/templates/wrapper.blade.php. Using unescaped {!! json_encode(...) !!} without safe encoding flags allows string values to break out of the JavaScript context and be interpreted as HTML/JS by the browser. If any serialized fields contain attacker-controlled content, such as a username, display name, or site config value, a malicious payload will execute arbitrary script for any user viewing the page (stored DOM XSS). This issue has been patched by commit e28edb204e80efab628d1241198ea4f079779cfd."}, {"lang": "es", "value": "exactyl es un panel de gesti\u00f3n de juegos y sistema de facturaci\u00f3n personalizable. Commits despu\u00e9s de 025e8dbb0daaa04054276bda814d922cf4af58da y antes de e28edb204e80efab628d1241198ea4f079779cfd inyectan objetos del lado del servidor en JavaScript del lado del cliente a trav\u00e9s de resources/views/templates/wrapper.blade.php. Usar {!! json_encode(...) !!} sin escapar y sin banderas de codificaci\u00f3n segura permite que los valores de cadena salgan del contexto de JavaScript y sean interpretados como HTML/JS por el navegador. Si alg\u00fan campo serializado contiene contenido controlado por el atacante, como un nombre de usuario, nombre de visualizaci\u00f3n o valor de configuraci\u00f3n del sitio, una carga \u00fatil maliciosa ejecutar\u00e1 un script arbitrario para cualquier usuario que vea la p\u00e1gina (XSS DOM almacenado). Este problema ha sido parcheado por el commit e28edb204e80efab628d1241198ea4f079779cfd."}], "lastModified": "2026-04-14T17:56:38.773", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:jexactyl:jexactyl:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "6C552E32-4BAD-440D-B29A-B2E02246AE20", "versionEndIncluding": "3.8.0"}, {"criteria": "cpe:2.3:a:jexactyl:jexactyl:4.0.0:beta1:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "08A85D83-EB57-4B0B-B35F-0CCAAA46E973"}, {"criteria": "cpe:2.3:a:jexactyl:jexactyl:4.0.0:beta2:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "7916B5CF-2EB4-46CC-A1B9-A2923509D81D"}, {"criteria": "cpe:2.3:a:jexactyl:jexactyl:4.0.0:beta3:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "3F082307-4A99-4365-9931-9D8948C998D2"}, {"criteria": "cpe:2.3:a:jexactyl:jexactyl:4.0.0:beta4:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "7373C273-098A-41E1-A8A8-CAB1358B828A"}, {"criteria": "cpe:2.3:a:jexactyl:jexactyl:4.0.0:beta5:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "3967F8B9-EFB8-4B74-AF96-DDE4D81D91BA"}, {"criteria": "cpe:2.3:a:jexactyl:jexactyl:4.0.0:beta6:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "E1EFCCD5-7C2A-478D-A484-81007FE6FB19"}, {"criteria": "cpe:2.3:a:jexactyl:jexactyl:4.0.0:beta7:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "887913CA-22D9-489C-8B13-3D52CA759405"}, {"criteria": "cpe:2.3:a:jexactyl:jexactyl:4.0.0:rc1:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "E4878F19-2FBC-4230-A944-9F87B31B1C96"}, {"criteria": "cpe:2.3:a:jexactyl:jexactyl:4.0.0:rc2:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "C3A132E3-C73F-4783-AA85-A1222BA437BF"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}