STIG Manager has reflected XSS vulnerability in the Web App

8.5 / 10

HIGH

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

Description

STIG Manager is an API and web client for managing Security Technical Implementation Guides (STIG) assessments of Information Systems. Versions 1.5.10 through 1.6.7 have a reflected Cross-Site Scripting (XSS) vulnerability in the OIDC authentication error handling code in `src/init.js` and `public/reauth.html`. During the OIDC redirect flow, the `error` and `error_description` query parameters returned by the OIDC provider are written directly to the DOM via `innerHTML` without HTML escaping. An attacker who can craft a malicious redirect URL and convince a user to follow it can execute arbitrary JavaScript in the application's origin context. The vulnerability is most severe when the targeted user has an active STIG Manager session running in another browser tab — injected code executes in the same origin and can communicate with the SharedWorker managing the active access token, enabling authenticated API requests on behalf of the victim including reading and modifying collection data. The vulnerability is patched in version 1.6.8. There is no workaround short of upgrading. Deployments behind a web application firewall that filters reflected XSS payloads in query parameters may have partial mitigation, but this is not a substitute for patching.

AI Analysis

Reflected Cross-Site Scripting (XSS) vulnerability in the OIDC authentication error handling code

Basic Information

ID CVE-2026-41200

Source GitHub_M

Published Apr 23, 2026 at 00:40

Affected Product

Vendor NUWCDIVNPT

Product stig-manager

Version >= 1.5.10, < 1.6.8

Affected Versions NUWCDIVNPT stig-manager >= 1.5.10, < 1.6.8

CWE Classification

CWE-79

AI Assessment

AI Score 8.5 / 10

AI Severity High

Vendor NUWCDIVNPT

Product STIG Manager

Version 1.5.10-1.6.7

References

github.com /NUWCDIVNPT/stig-manager/security/advisories/GHSA-wg33-j3rv-jq72

{
    "lastseen": "",
    "description": "STIG Manager is an API and web client for managing  Security Technical Implementation Guides (STIG) assessments of Information Systems. Versions 1.5.10 through 1.6.7 have a reflected Cross-Site Scripting (XSS) vulnerability in the OIDC authentication error handling code in `src/init.js` and `public/reauth.html`. During the OIDC redirect flow, the `error` and `error_description` query parameters returned by the OIDC provider are written directly to the DOM via `innerHTML` without HTML escaping. An attacker who can craft a malicious redirect URL and convince a user to follow it can execute arbitrary JavaScript in the application's origin context. The vulnerability is most severe when the targeted user has an active STIG Manager session running in another browser tab \u2014 injected code executes in the same origin and can communicate with the SharedWorker managing the active access token, enabling authenticated API requests on behalf of the victim including reading and modifying collection data. The vulnerability is patched in version 1.6.8. There is no workaround short of upgrading. Deployments behind a web application firewall that filters reflected XSS payloads in query parameters may have partial mitigation, but this is not a substitute for patching.",
    "published": "2026-04-23T00:40:23.187Z",
    "modified": "2026-04-23T00:40:23.187Z",
    "type": "cve",
    "title": "STIG Manager has reflected XSS vulnerability in the Web App",
    "source": "GitHub_M",
    "references": "https://github.com/NUWCDIVNPT/stig-manager/security/advisories/GHSA-wg33-j3rv-jq72",
    "id": "CVE-2026-41200",
    "bulletinFamily": "",
    "cwe": [
        "CWE-79"
    ],
    "cvelist": null,
    "sourceData": "NUWCDIVNPT stig-manager >= 1.5.10, < 1.6.8",
    "sourceHref": "",
    "cvss": {
        "score": 8.5,
        "severity": "HIGH",
        "vector": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N",
        "version": "4.0"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "stig-manager",
    "version": ">= 1.5.10, < 1.6.8",
    "vendor": "NUWCDIVNPT",
    "ai_description": "Reflected Cross-Site Scripting (XSS) vulnerability in the OIDC authentication error handling code",
    "ai_severity": "High",
    "ai_vendor": "NUWCDIVNPT",
    "ai_product": "STIG Manager",
    "ai_version": "1.5.10-1.6.7",
    "ai_score": 8.5
}

STIG Manager has reflected XSS vulnerability in the Web App_CVE-2026-41200