{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-5301", "assignerOrgId": "ceab7361-8a18-47b1-92ba-4d7d25f6715a", "state": "PUBLISHED", "assignerShortName": "GitLab", "dateReserved": "2026-04-01T05:33:22.052Z", "datePublished": "2026-04-08T12:04:51.524Z", "dateUpdated": "2026-04-08T16:02:36.804Z"}, "containers": {"cna": {"title": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in coolercontrol-ui", "descriptions": [{"lang": "en", "value": "Stored XSS in log viewer in CoolerControl/coolercontrol-ui <4.0.0 allows unauthenticated attackers to take over the service via malicious JavaScript in poisoned log entries"}], "affected": [{"vendor": "CoolerControl", "product": "coolercontrol-ui", "versions": [{"version": "2.0.0", "status": "affected", "lessThan": "4.0.0", "versionType": "semver"}], "defaultStatus": "unaffected"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "cweId": "CWE-79", "type": "CWE"}]}], "references": [{"url": "https://gitlab.com/coolercontrol/coolercontrol/-/blob/2.0.0/coolercontrol-ui/src/views/AppInfoView.vue?ref_type=tags#L224"}, {"url": "https://gitlab.com/coolercontrol/coolercontrol/-/blob/3.1.1/coolercontrol-ui/src/views/AppInfoView.vue?ref_type=tags#L350"}, {"url": "https://gitlab.com/coolercontrol/coolercontrol/-/releases/4.0.0"}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:L", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "HIGH", "availabilityImpact": "LOW", "baseScore": 7.6, "baseSeverity": "HIGH"}}], "solutions": [{"lang": "en", "value": "Upgrade to version 4.0.0"}], "credits": [{"lang": "en", "value": "https://gitlab.com/lassi-3", "type": "finder"}], "providerMetadata": {"orgId": "ceab7361-8a18-47b1-92ba-4d7d25f6715a", "shortName": "GitLab", "dateUpdated": "2026-04-08T12:04:51.524Z"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-08T16:02:30.243082Z", "id": "CVE-2026-5301", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-08T16:02:36.804Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-5301", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-08T16:02:30.243082Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-08T16:02:33.900Z"}}], "cna": {"title": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in coolercontrol-ui", "credits": [{"lang": "en", "type": "finder", "value": "https://gitlab.com/lassi-3"}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.6, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:L", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "CoolerControl", "product": "coolercontrol-ui", "versions": [{"status": "affected", "version": "2.0.0", "lessThan": "4.0.0", "versionType": "semver"}], "defaultStatus": "unaffected"}], "solutions": [{"lang": "en", "value": "Upgrade to version 4.0.0"}], "references": [{"url": "https://gitlab.com/coolercontrol/coolercontrol/-/blob/2.0.0/coolercontrol-ui/src/views/AppInfoView.vue?ref_type=tags#L224"}, {"url": "https://gitlab.com/coolercontrol/coolercontrol/-/blob/3.1.1/coolercontrol-ui/src/views/AppInfoView.vue?ref_type=tags#L350"}, {"url": "https://gitlab.com/coolercontrol/coolercontrol/-/releases/4.0.0"}], "descriptions": [{"lang": "en", "value": "Stored XSS in log viewer in CoolerControl/coolercontrol-ui <4.0.0 allows unauthenticated attackers to take over the service via malicious JavaScript in poisoned log entries"}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "ceab7361-8a18-47b1-92ba-4d7d25f6715a", "shortName": "GitLab", "dateUpdated": "2026-04-08T12:04:51.524Z"}}}, "cveMetadata": {"cveId": "CVE-2026-5301", "state": "PUBLISHED", "dateUpdated": "2026-04-08T16:02:36.804Z", "dateReserved": "2026-04-01T05:33:22.052Z", "assignerOrgId": "ceab7361-8a18-47b1-92ba-4d7d25f6715a", "datePublished": "2026-04-08T12:04:51.524Z", "assignerShortName": "GitLab"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Stored XSS in log viewer in CoolerControl/coolercontrol-ui <4.0.0 allows unauthenticated attackers to take over the service via malicious JavaScript in poisoned log entries"}], "id": "CVE-2026-5301", "lastModified": "2026-04-08T21:26:13.410", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 7.6, "baseSeverity": "HIGH", "confidentialityImpact": "LOW", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:L", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 4.7, "source": "cve@gitlab.com", "type": "Secondary"}]}, "published": "2026-04-08T13:16:43.260", "references": [{"source": "cve@gitlab.com", "url": "https://gitlab.com/coolercontrol/coolercontrol/-/blob/2.0.0/coolercontrol-ui/src/views/AppInfoView.vue?ref_type=tags#L224"}, {"source": "cve@gitlab.com", "url": "https://gitlab.com/coolercontrol/coolercontrol/-/blob/3.1.1/coolercontrol-ui/src/views/AppInfoView.vue?ref_type=tags#L350"}, {"source": "cve@gitlab.com", "url": "https://gitlab.com/coolercontrol/coolercontrol/-/releases/4.0.0"}], "sourceIdentifier": "cve@gitlab.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "cve@gitlab.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[2.0.0,4.0.0)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "product": "coolercontrol-ui", "vendor": "coolercontrol"}], "analysis": {"en": {"generated_at": "2026-04-08T13:50:55.421125+00:00", "value": {"mitigation_remediation": ["Upgrade CoolerControl UI to version 4.0.0"], "summary": {"action": "Immediate Patch", "impact": "Stored XSS allowing unauthenticated code execution and potential service takeover"}, "threat_synthesis": {"affected_systems": "The CoolerControl coolercontrol-ui component is affected in all releases older than version 4.0.0. Administrators should verify that their installation\u2019s version is below 4.0.0 and plan an upgrade accordingly.", "description_and_impact": "This vulnerability is an improper neutralization of input during web page generation in CoolerControl\u2019s coolercontrol-ui log viewer. Unauthenticated users can inject malicious JavaScript into log entries, which the interface renders without sufficient sanitization. The injected code runs within the context of service users, enabling session hijack, data exfiltration, or even full service takeover, thereby compromising confidentiality, integrity, and availability.", "risk_and_exploitability": "With a CVSS score of 7.6, this issue is high severity. Attackers require no authentication and can simply navigate to the log viewer to deliver the payload, as the description explicitly states. EPSS data is not available, and the vulnerability is not listed in CISA\u2019s KEV catalog, but the ease of exploitation and the serious impact keep the risk significant for exposed deployments."}}}}, "created": "2026-04-08T19:39:43.413982+00:00", "updated": "2026-04-09T08:21:53.012582+00:00", "vendors": ["coolercontrol", "coolercontrol$PRODUCT$coolercontrol-ui"]}