CVE-2026-40028

Source
https://cve.org/CVERecord?id=CVE-2026-40028
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-40028.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-40028
Published
2026-04-08T21:35:24.001Z
Modified
2026-07-08T08:15:52.720756552Z
Severity
  • 5.1 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N CVSS Calculator
Summary
Hayabusa < 3.8.0 XSS via JSON Log Import
Details

Hayabusa versions prior to 3.8.0 contain a cross-site scripting (XSS) vulnerability in its HTML report output that allows an attacker to execute arbitrary JavaScript when a user scans JSON-exported logs containing malicious content in the Computer field. An attacker can inject JavaScript into the Computer field of JSON logs that executes in the forensic examiner's browser session when viewing the generated HTML report, leading to information disclosure or code execution.

Database specific
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/40xxx/CVE-2026-40028.json",
    "cna_assigner": "VulnCheck",
    "cwe_ids": [
        "CWE-79"
    ]
}
References

Affected packages

Git / github.com/yamato-security/hayabusa

Affected ranges

Type
GIT
Repo
https://github.com/yamato-security/hayabusa
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
Database specific
{
    "source": [
        "AFFECTED_FIELD",
        "CPE_RANGE",
        "REFERENCES"
    ],
    "cpe": "cpe:2.3:a:yamato-security:hayabusa:*:*:*:*:*:*:*:*",
    "extracted_events": [
        {
            "introduced": "0"
        },
        {
            "last_affected": "3.7.0"
        },
        {
            "fixed": "3.8.0"
        }
    ]
}

Affected versions

v1.*
v1.0.0
v1.0.0-R2
v1.1.0
v1.2.0
v1.2.1
v1.2.2
v1.3.0
v1.3.1
v1.3.2
v1.4.0
v1.4.1
v1.4.2
v1.4.3
v1.5.0
v1.5.1
v1.6.0
v1.7.0
v1.7.1
v1.7.2
v1.8.0
v1.8.1
v1.9.0
v2.*
v2.0.0
v2.1.0
v2.10.0
v2.10.1
v2.11.0
v2.12.0
v2.13.0
v2.14.0
v2.15.0
v2.16.0
v2.16.1
v2.17.0
v2.18.0
v2.19.0
v2.2.0
v2.2.2
v2.3.0
v2.3.1
v2.3.2
v2.3.3
v2.4.0
v2.5.0
v2.5.1
v2.6.0
v2.7.0
v2.8.0
v2.9.0
v3.*
v3.0.0
v3.0.1
v3.1.0
v3.1.1
v3.2.0
v3.3.0
v3.4.0
v3.5.0
v3.6.0
v3.7.0

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-40028.json"