Coder allows organizations to provision remote development environments via Terraform. Prior to versions 2.29.17, 2.32.7, 2.33.8, and 2.34.2, the AgentLogLine dashboard component instantiated ansi-to-html without escapeXML: true and inserted the result via dangerouslySetInnerHTML so HTML embedded in workspace agent log lines was rendered as live markup. Server-side sanitization did not neutralize HTML metacharacters. Exploitation requires a victim to view attacker-controlled agent logs in the dashboard. The fix in versions 2.29.17, 2.32.7, 2.33.8, and 2.34.2 enables escapeXML: true so HTML metacharacters are escaped before DOM insertion. No known workarounds are available.
{
"osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/55xxx/CVE-2026-55437.json",
"cna_assigner": "GitHub_M",
"cwe_ids": [
"CWE-79"
]
}{
"source": "AFFECTED_FIELD",
"extracted_events": [
{
"introduced": "2.34.0"
},
{
"fixed": "2.34.2"
},
{
"introduced": "2.33.0"
},
{
"fixed": "2.33.8"
},
{
"introduced": "2.30.0"
},
{
"fixed": "2.32.7"
},
{
"introduced": "0"
},
{
"fixed": "2.29.17"
}
]
}