CVE-2026-33061 (GCVE-0-2026-33061)
Vulnerability from cvelistv5 – Published: 2026-03-20 07:34 – Updated: 2026-03-30 12:39
VLAI?
Title
Jexactyl has Stored DOM Cross-Site Scripting (XSS) via unescaped JSON in Blade template
Summary
Jexactyl is a customisable game management panel and billing system. Commits after 025e8dbb0daaa04054276bda814d922cf4af58da and before e28edb204e80efab628d1241198ea4f079779cfd inject server-side objects into client-side JavaScript through resources/views/templates/wrapper.blade.php. Using unescaped {!! json_encode(...) !!} without safe encoding flags allows string values to break out of the JavaScript context and be interpreted as HTML/JS by the browser. If any serialized fields contain attacker-controlled content, such as a username, display name, or site config value, a malicious payload will execute arbitrary script for any user viewing the page (stored DOM XSS). This issue has been patched by commit e28edb204e80efab628d1241198ea4f079779cfd.
Severity ?
5.8 (Medium)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-33061",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-20T13:49:01.159315Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-20T13:49:26.452Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/Jexactyl/Jexactyl/security/advisories/GHSA-6xgw-mmmv-57h2"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Jexactyl",
"vendor": "Jexactyl",
"versions": [
{
"status": "affected",
"version": "\u003e= 025e8dbb0daaa04054276bda814d922cf4af58da, \u003c e28edb204e80efab628d1241198ea4f079779cfd"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Jexactyl is a customisable game management panel and billing system. Commits after 025e8dbb0daaa04054276bda814d922cf4af58da and before e28edb204e80efab628d1241198ea4f079779cfd inject server-side objects into client-side JavaScript through resources/views/templates/wrapper.blade.php. Using unescaped {!! json_encode(...) !!} without safe encoding flags allows string values to break out of the JavaScript context and be interpreted as HTML/JS by the browser. If any serialized fields contain attacker-controlled content, such as a username, display name, or site config value, a malicious payload will execute arbitrary script for any user viewing the page (stored DOM XSS). This issue has been patched by commit e28edb204e80efab628d1241198ea4f079779cfd."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 5.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-30T12:39:35.052Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/Jexactyl/Jexactyl/security/advisories/GHSA-6xgw-mmmv-57h2",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/Jexactyl/Jexactyl/security/advisories/GHSA-6xgw-mmmv-57h2"
},
{
"name": "https://github.com/Jexactyl/Jexactyl/commit/e28edb204e80efab628d1241198ea4f079779cfd",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/Jexactyl/Jexactyl/commit/e28edb204e80efab628d1241198ea4f079779cfd"
}
],
"source": {
"advisory": "GHSA-6xgw-mmmv-57h2",
"discovery": "UNKNOWN"
},
"title": "Jexactyl has Stored DOM Cross-Site Scripting (XSS) via unescaped JSON in Blade template"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-33061",
"datePublished": "2026-03-20T07:34:14.077Z",
"dateReserved": "2026-03-17T19:27:06.342Z",
"dateUpdated": "2026-03-30T12:39:35.052Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2",
"vulnerability-lookup:meta": {
"epss": {
"cve": "CVE-2026-33061",
"date": "2026-05-05",
"epss": "0.00028",
"percentile": "0.07732"
},
"nvd": "{\"cve\":{\"id\":\"CVE-2026-33061\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2026-03-20T08:16:12.090\",\"lastModified\":\"2026-04-14T17:56:38.773\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Jexactyl is a customisable game management panel and billing system. Commits after 025e8dbb0daaa04054276bda814d922cf4af58da and before e28edb204e80efab628d1241198ea4f079779cfd inject server-side objects into client-side JavaScript through resources/views/templates/wrapper.blade.php. Using unescaped {!! json_encode(...) !!} without safe encoding flags allows string values to break out of the JavaScript context and be interpreted as HTML/JS by the browser. If any serialized fields contain attacker-controlled content, such as a username, display name, or site config value, a malicious payload will execute arbitrary script for any user viewing the page (stored DOM XSS). This issue has been patched by commit e28edb204e80efab628d1241198ea4f079779cfd.\"},{\"lang\":\"es\",\"value\":\"exactyl es un panel de gesti\u00f3n de juegos y sistema de facturaci\u00f3n personalizable. Commits despu\u00e9s de 025e8dbb0daaa04054276bda814d922cf4af58da y antes de e28edb204e80efab628d1241198ea4f079779cfd inyectan objetos del lado del servidor en JavaScript del lado del cliente a trav\u00e9s de resources/views/templates/wrapper.blade.php. Usar {!! json_encode(...) !!} sin escapar y sin banderas de codificaci\u00f3n segura permite que los valores de cadena salgan del contexto de JavaScript y sean interpretados como HTML/JS por el navegador. Si alg\u00fan campo serializado contiene contenido controlado por el atacante, como un nombre de usuario, nombre de visualizaci\u00f3n o valor de configuraci\u00f3n del sitio, una carga \u00fatil maliciosa ejecutar\u00e1 un script arbitrario para cualquier usuario que vea la p\u00e1gina (XSS DOM almacenado). Este problema ha sido parcheado por el commit e28edb204e80efab628d1241198ea4f079779cfd.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:N\",\"baseScore\":5.8,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"LOCAL\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"HIGH\",\"userInteraction\":\"REQUIRED\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":0.6,\"impactScore\":5.2},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N\",\"baseScore\":5.4,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"REQUIRED\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":2.3,\"impactScore\":2.7}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-79\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:jexactyl:jexactyl:*:*:*:*:*:*:*:*\",\"versionEndIncluding\":\"3.8.0\",\"matchCriteriaId\":\"6C552E32-4BAD-440D-B29A-B2E02246AE20\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:jexactyl:jexactyl:4.0.0:beta1:*:*:*:*:*:*\",\"matchCriteriaId\":\"08A85D83-EB57-4B0B-B35F-0CCAAA46E973\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:jexactyl:jexactyl:4.0.0:beta2:*:*:*:*:*:*\",\"matchCriteriaId\":\"7916B5CF-2EB4-46CC-A1B9-A2923509D81D\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:jexactyl:jexactyl:4.0.0:beta3:*:*:*:*:*:*\",\"matchCriteriaId\":\"3F082307-4A99-4365-9931-9D8948C998D2\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:jexactyl:jexactyl:4.0.0:beta4:*:*:*:*:*:*\",\"matchCriteriaId\":\"7373C273-098A-41E1-A8A8-CAB1358B828A\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:jexactyl:jexactyl:4.0.0:beta5:*:*:*:*:*:*\",\"matchCriteriaId\":\"3967F8B9-EFB8-4B74-AF96-DDE4D81D91BA\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:jexactyl:jexactyl:4.0.0:beta6:*:*:*:*:*:*\",\"matchCriteriaId\":\"E1EFCCD5-7C2A-478D-A484-81007FE6FB19\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:jexactyl:jexactyl:4.0.0:beta7:*:*:*:*:*:*\",\"matchCriteriaId\":\"887913CA-22D9-489C-8B13-3D52CA759405\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:jexactyl:jexactyl:4.0.0:rc1:*:*:*:*:*:*\",\"matchCriteriaId\":\"E4878F19-2FBC-4230-A944-9F87B31B1C96\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:jexactyl:jexactyl:4.0.0:rc2:*:*:*:*:*:*\",\"matchCriteriaId\":\"C3A132E3-C73F-4783-AA85-A1222BA437BF\"}]}]}],\"references\":[{\"url\":\"https://github.com/Jexactyl/Jexactyl/commit/e28edb204e80efab628d1241198ea4f079779cfd\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/Jexactyl/Jexactyl/security/advisories/GHSA-6xgw-mmmv-57h2\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Exploit\",\"Vendor Advisory\"]},{\"url\":\"https://github.com/Jexactyl/Jexactyl/security/advisories/GHSA-6xgw-mmmv-57h2\",\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"tags\":[\"Exploit\",\"Vendor Advisory\"]}]}}",
"vulnrichment": {
"containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2026-33061\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"poc\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"total\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-03-20T13:49:01.159315Z\"}}}], \"references\": [{\"url\": \"https://github.com/Jexactyl/Jexactyl/security/advisories/GHSA-6xgw-mmmv-57h2\", \"tags\": [\"exploit\"]}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-03-20T13:49:21.671Z\"}}], \"cna\": {\"title\": \"Jexactyl has Stored DOM Cross-Site Scripting (XSS) via unescaped JSON in Blade template\", \"source\": {\"advisory\": \"GHSA-6xgw-mmmv-57h2\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 5.8, \"attackVector\": \"LOCAL\", \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:N\", \"integrityImpact\": \"HIGH\", \"userInteraction\": \"REQUIRED\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"NONE\", \"privilegesRequired\": \"HIGH\", \"confidentialityImpact\": \"HIGH\"}}], \"affected\": [{\"vendor\": \"Jexactyl\", \"product\": \"Jexactyl\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003e= 025e8dbb0daaa04054276bda814d922cf4af58da, \u003c e28edb204e80efab628d1241198ea4f079779cfd\"}]}], \"references\": [{\"url\": \"https://github.com/Jexactyl/Jexactyl/security/advisories/GHSA-6xgw-mmmv-57h2\", \"name\": \"https://github.com/Jexactyl/Jexactyl/security/advisories/GHSA-6xgw-mmmv-57h2\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://github.com/Jexactyl/Jexactyl/commit/e28edb204e80efab628d1241198ea4f079779cfd\", \"name\": \"https://github.com/Jexactyl/Jexactyl/commit/e28edb204e80efab628d1241198ea4f079779cfd\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"Jexactyl is a customisable game management panel and billing system. Commits after 025e8dbb0daaa04054276bda814d922cf4af58da and before e28edb204e80efab628d1241198ea4f079779cfd inject server-side objects into client-side JavaScript through resources/views/templates/wrapper.blade.php. Using unescaped {!! json_encode(...) !!} without safe encoding flags allows string values to break out of the JavaScript context and be interpreted as HTML/JS by the browser. If any serialized fields contain attacker-controlled content, such as a username, display name, or site config value, a malicious payload will execute arbitrary script for any user viewing the page (stored DOM XSS). This issue has been patched by commit e28edb204e80efab628d1241198ea4f079779cfd.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-79\", \"description\": \"CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2026-03-30T12:39:35.052Z\"}}}",
"cveMetadata": "{\"cveId\": \"CVE-2026-33061\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-03-30T12:39:35.052Z\", \"dateReserved\": \"2026-03-17T19:27:06.342Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2026-03-20T07:34:14.077Z\", \"assignerShortName\": \"GitHub_M\"}",
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
}
}
Loading…
Loading…
Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.
Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…