CVE-2026-40028

Hayabusa versions prior to 3.8.0 contain a cross-site scripting (XSS) vulnerability in its HTML report output that allows an attacker to execute arbitrary JavaScript when a user scans JSON-exported logs containing malicious content in the Computer field. An attacker can inject JavaScript into the Computer field of JSON logs that executes in the forensic examiner's browser session when viewing the generated HTML report, leading to information disclosure or code execution.

CVSS v3 5.4 MEDIUM

5.4^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 2.3 / Impact : 2.7

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction REQUIRED

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact NONE

Scope CHANGED

References

Link	Resource
https://github.com/Yamato-Security/hayabusa/releases/tag/v3.8.0	Release Notes
https://mobasi.ai/sentinel	Third Party Advisory
https://www.vulncheck.com/advisories/hayabusa-xss-via-json-log-import	Third Party Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:yamato-security:hayabusa:*:*:*:*:*:*:*:*

History

17 Apr 2026, 16:17

Type	Values Removed	Values Added
First Time		Yamato-security hayabusa Yamato-security
References	~~() https://github.com/Yamato-Security/hayabusa/releases/tag/v3.8.0 -~~	() https://github.com/Yamato-Security/hayabusa/releases/tag/v3.8.0 - Release Notes
References	~~() https://mobasi.ai/sentinel -~~	() https://mobasi.ai/sentinel - Third Party Advisory
References	~~() https://www.vulncheck.com/advisories/hayabusa-xss-via-json-log-import -~~	() https://www.vulncheck.com/advisories/hayabusa-xss-via-json-log-import - Third Party Advisory
CPE		cpe:2.3:a:yamato-security:hayabusa::::::::

08 Apr 2026, 22:16

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-04-08 22:16

Updated : 2026-04-17 16:17

NVD link : CVE-2026-40028

Mitre link : CVE-2026-40028

CVE.ORG link : CVE-2026-40028

JSON object : View

Products Affected

yamato-security

hayabusa

CWE

CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

{"id": "CVE-2026-40028", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "disclosure@vulncheck.com", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 5.4, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}, "impactScore": 2.7, "exploitabilityScore": 2.3}], "cvssMetricV40": [{"type": "Secondary", "source": "disclosure@vulncheck.com", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 5.1, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "PASSIVE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "subIntegrityImpact": "LOW", "vulnIntegrityImpact": "NONE", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "LOW", "vulnConfidentialityImpact": "NONE", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "published": "2026-04-08T22:16:23.137", "references": [{"url": "https://github.com/Yamato-Security/hayabusa/releases/tag/v3.8.0", "tags": ["Release Notes"], "source": "disclosure@vulncheck.com"}, {"url": "https://mobasi.ai/sentinel", "tags": ["Third Party Advisory"], "source": "disclosure@vulncheck.com"}, {"url": "https://www.vulncheck.com/advisories/hayabusa-xss-via-json-log-import", "tags": ["Third Party Advisory"], "source": "disclosure@vulncheck.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "disclosure@vulncheck.com", "description": [{"lang": "en", "value": "CWE-79"}]}], "descriptions": [{"lang": "en", "value": "Hayabusa versions prior to 3.8.0 contain a cross-site scripting (XSS) vulnerability in its HTML report output that allows an attacker to execute arbitrary JavaScript when a user scans JSON-exported logs containing malicious content in the Computer field. An attacker can inject JavaScript into the Computer field of JSON logs that executes in the forensic examiner's browser session when viewing the generated HTML report, leading to information disclosure or code execution."}], "lastModified": "2026-04-17T16:17:48.223", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:yamato-security:hayabusa:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "CFE7B4B2-9683-43D3-9D32-CB6450E122B7", "versionEndExcluding": "3.8.0"}], "operator": "OR"}]}], "sourceIdentifier": "disclosure@vulncheck.com"}