Open OnDemand: Specially crafted filenames can execute javascript in the...

5.3 / 10

MEDIUM

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N

Description

Open OnDemand is an open-source high-performance computing portal. Prior to 4.0.11, 4.1.5, and 4.2.2, specially crafted filenames can execute javascript in the file browser This vulnerability is fixed in 4.0.11, 4.1.5, and 4.2.2.

Basic Information

ID CVE-2026-44371

Source GitHub_M

Published May 14, 2026 at 15:02

Modified May 14, 2026 at 15:37

Affected Product

Vendor OSC

Product ondemand

Version < 4.0.11

Affected Versions OSC ondemand < 4.0.11
OSC ondemand >= 4.1.0, < 4.1.5
OSC ondemand >= 4.2.0, < 4.2.2

CWE Classification

CWE-79

References

github.com /OSC/ondemand/security/advisories/GHSA-xcv4-m435-m33h

{
    "lastseen": "",
    "description": "Open OnDemand is an open-source high-performance computing portal. Prior to 4.0.11, 4.1.5, and 4.2.2, specially crafted filenames can execute javascript in the file browser This vulnerability is fixed in 4.0.11, 4.1.5, and 4.2.2.",
    "published": "2026-05-14T15:02:17.361Z",
    "modified": "2026-05-14T15:37:14.075Z",
    "type": "cve",
    "title": "Open OnDemand: Specially crafted filenames can execute javascript in the file browser",
    "source": "GitHub_M",
    "references": "https://github.com/OSC/ondemand/security/advisories/GHSA-xcv4-m435-m33h",
    "id": "CVE-2026-44371",
    "bulletinFamily": "",
    "cwe": [
        "CWE-79"
    ],
    "cvelist": null,
    "sourceData": "OSC ondemand < 4.0.11\nOSC ondemand >= 4.1.0, < 4.1.5\nOSC ondemand >= 4.2.0, < 4.2.2",
    "sourceHref": "",
    "cvss": {
        "score": 5.3,
        "severity": "MEDIUM",
        "vector": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N",
        "version": "4.0"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "ondemand",
    "version": "< 4.0.11",
    "vendor": "OSC",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

Open OnDemand: Specially crafted filenames can execute javascript in the file browser_CVE-2026-44371