CVE-2026-55437

Source
https://cve.org/CVERecord?id=CVE-2026-55437
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-55437.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-55437
Aliases
Published
2026-07-08T00:29:18.268Z
Modified
2026-07-08T08:13:46.072465925Z
Severity
  • 5.4 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N CVSS Calculator
Summary
Coder vulnerable to stored HTML injection via workspace agent logs in AgentLogLine component
Details

Coder allows organizations to provision remote development environments via Terraform. Prior to versions 2.29.17, 2.32.7, 2.33.8, and 2.34.2, the AgentLogLine dashboard component instantiated ansi-to-html without escapeXML: true and inserted the result via dangerouslySetInnerHTML so HTML embedded in workspace agent log lines was rendered as live markup. Server-side sanitization did not neutralize HTML metacharacters. Exploitation requires a victim to view attacker-controlled agent logs in the dashboard. The fix in versions 2.29.17, 2.32.7, 2.33.8, and 2.34.2 enables escapeXML: true so HTML metacharacters are escaped before DOM insertion. No known workarounds are available.

Database specific
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/55xxx/CVE-2026-55437.json",
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
        "CWE-79"
    ]
}
References

Affected packages

Git / github.com/coder/coder

Affected ranges

Type
GIT
Repo
https://github.com/coder/coder
Events
Database specific
{
    "source": "AFFECTED_FIELD",
    "extracted_events": [
        {
            "introduced": "2.34.0"
        },
        {
            "fixed": "2.34.2"
        },
        {
            "introduced": "2.33.0"
        },
        {
            "fixed": "2.33.8"
        },
        {
            "introduced": "2.30.0"
        },
        {
            "fixed": "2.32.7"
        },
        {
            "introduced": "0"
        },
        {
            "fixed": "2.29.17"
        }
    ]
}

Affected versions

Other
rm
v0.*
v0.10.0
v0.10.1
v0.10.2
v0.11.0
v0.12.0
v0.12.1
v0.12.2
v0.12.3
v0.12.4
v0.12.5
v0.12.6
v0.12.7
v0.12.8
v0.12.9
v0.13.0
v0.13.1
v0.13.2
v0.13.3
v0.13.4
v0.13.5
v0.13.6
v0.14.0
v0.14.1
v0.14.2
v0.14.3
v0.15.0
v0.15.1
v0.15.2
v0.15.3
v0.16.0
v0.17.0
v0.17.1
v0.17.2
v0.17.3
v0.17.4
v0.18.0
v0.18.1
v0.19.0
v0.19.1
v0.19.2
v0.20.0
v0.20.1
v0.21.0
v0.21.1
v0.21.2
v0.21.3
v0.22.0
v0.22.1
v0.22.2
v0.23.0
v0.23.1
v0.23.2
v0.23.3
v0.23.4
v0.23.5
v0.23.6
v0.23.7
v0.24.0
v0.24.1
v0.25.0
v0.26.0
v0.26.1
v0.26.2
v0.27.0
v0.27.1
v0.3.0
v0.3.1
v0.3.2
v0.3.3
v0.3.4
v0.3.5
v0.4.0
v0.4.1
v0.4.2
v0.4.3
v0.4.4
v0.5.0
v0.5.1
v0.5.10
v0.5.11
v0.5.2
v0.5.3
v0.5.4
v0.5.5
v0.5.6
v0.5.7
v0.5.8
v0.5.9
v0.6.0
v0.6.1
v0.6.2
v0.6.3
v0.6.4
v0.6.5
v0.6.6
v0.7.0
v0.7.1
v0.7.10
v0.7.11
v0.7.12
v0.7.2
v0.7.3
v0.7.4
v0.7.5
v0.7.6
v0.7.7
v0.7.8
v0.7.9
v0.8.0
v0.8.1
v0.8.10
v0.8.11
v0.8.12
v0.8.13
v0.8.14
v0.8.15
v0.8.2
v0.8.3
v0.8.4
v0.8.5
v0.8.6
v0.8.7
v0.8.8
v0.8.9
v0.9.0
v0.9.1
v0.9.10
v0.9.2
v0.9.3
v0.9.4
v0.9.5
v0.9.6
v0.9.7
v0.9.8
v0.9.9
v2.*
v2.0.2
v2.1.1
v2.1.2
v2.1.3
v2.1.4
v2.1.5
v2.10.0
v2.2.1
v2.29.0
v2.29.1
v2.29.10
v2.29.11
v2.29.12
v2.29.13
v2.29.14
v2.29.15
v2.29.16
v2.29.2
v2.29.3
v2.29.4
v2.29.5
v2.29.6
v2.29.7
v2.29.8
v2.29.9
v2.3.0
v2.3.1
v2.3.2
v2.3.3
v2.32.0
v2.32.0-rc.0
v2.32.1
v2.32.2
v2.32.3
v2.32.4
v2.32.5
v2.32.6
v2.33.0
v2.33.0-rc.0
v2.33.1
v2.33.2
v2.33.3
v2.33.4
v2.33.5
v2.33.6
v2.33.7
v2.34.0
v2.34.1
v2.4.0
v2.5.0
v2.5.1
v2.6.0
v2.7.0
v2.7.1
v2.8.0
v2.9.0

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-55437.json"