CVE-2026-41200

Source
https://cve.org/CVERecord?id=CVE-2026-41200
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-41200.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-41200
Aliases
  • GHSA-wg33-j3rv-jq72
Published
2026-04-23T00:40:23.187Z
Modified
2026-07-08T08:15:58.119852194Z
Severity
  • 8.5 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N CVSS Calculator
Summary
STIG Manager has reflected XSS vulnerability in the Web App
Details

STIG Manager is an API and web client for managing Security Technical Implementation Guides (STIG) assessments of Information Systems. Versions 1.5.10 through 1.6.7 have a reflected Cross-Site Scripting (XSS) vulnerability in the OIDC authentication error handling code in src/init.js and public/reauth.html. During the OIDC redirect flow, the error and error_description query parameters returned by the OIDC provider are written directly to the DOM via innerHTML without HTML escaping. An attacker who can craft a malicious redirect URL and convince a user to follow it can execute arbitrary JavaScript in the application's origin context. The vulnerability is most severe when the targeted user has an active STIG Manager session running in another browser tab — injected code executes in the same origin and can communicate with the SharedWorker managing the active access token, enabling authenticated API requests on behalf of the victim including reading and modifying collection data. The vulnerability is patched in version 1.6.8. There is no workaround short of upgrading. Deployments behind a web application firewall that filters reflected XSS payloads in query parameters may have partial mitigation, but this is not a substitute for patching.

Database specific
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/41xxx/CVE-2026-41200.json",
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
        "CWE-79"
    ]
}
References

Affected packages

Git / github.com/nuwcdivnpt/stig-manager

Affected ranges

Type
GIT
Repo
https://github.com/nuwcdivnpt/stig-manager
Events
Database specific
{
    "source": [
        "AFFECTED_FIELD",
        "DESCRIPTION"
    ],
    "extracted_events": [
        {
            "introduced": "1.5.10"
        },
        {
            "fixed": "1.6.8"
        },
        {
            "fixed": "1.6.7"
        }
    ]
}

Affected versions

1.*
1.5.10
1.5.11
1.5.12
1.5.13
1.5.14
1.5.15
1.5.16
1.5.17
1.6.0
1.6.1
1.6.2
1.6.3
1.6.4
1.6.5
1.6.6
1.6.7

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-41200.json"