5.8

CVE-2026-33061

Exploit
Jexactyl is a customisable game management panel and billing system. Commits after 025e8dbb0daaa04054276bda814d922cf4af58da and before e28edb204e80efab628d1241198ea4f079779cfd inject server-side objects into client-side JavaScript through resources/views/templates/wrapper.blade.php. Using unescaped {!! json_encode(...) !!} without safe encoding flags  allows string values to break out of the JavaScript context and be interpreted as HTML/JS by the browser. If any serialized fields contain attacker-controlled content, such as a username, display name, or site config value, a malicious payload will execute arbitrary script for any user viewing the page (stored DOM XSS). This issue has been patched by commit  e28edb204e80efab628d1241198ea4f079779cfd.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
JexactylJexactyl Version <= 3.8.0
JexactylJexactyl Version4.0.0 Updatebeta1
JexactylJexactyl Version4.0.0 Updatebeta2
JexactylJexactyl Version4.0.0 Updatebeta3
JexactylJexactyl Version4.0.0 Updatebeta4
JexactylJexactyl Version4.0.0 Updatebeta5
JexactylJexactyl Version4.0.0 Updatebeta6
JexactylJexactyl Version4.0.0 Updatebeta7
JexactylJexactyl Version4.0.0 Updaterc1
JexactylJexactyl Version4.0.0 Updaterc2
Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 0.02% 0.05
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 5.4 2.3 2.7
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
security-advisories@github.com 5.8 0.6 5.2
CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:N
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.