Wiz
Base de données de vulnérabilitésGHSA-26wg-9xf2-q495

GHSA-26wg-9xf2-q495
JavaScript Analyse et atténuation des vulnérabilités

Summary

XSS sanitization is incomplete, some attributes are missing such as oncontentvisibilityautostatechange=. This allows for the email preview to render HTML that executes arbitrary JavaScript,

Details

Sanitization is implemented here: https://github.com/novuhq/novu/blob/next/libs/application-generic/src/services/sanitize/sanitizer.service.ts With allowedAttributes: false, all attributes are allowed through sanitize-html. Even dangerous ones like oncontentvisibilityautostatechange=. The DANGEROUS_ATTRIBUTES array tries to handle this by denying more attributes after the fact, but this list is incomplete. I copied all well-known payloads from: https://portswigger.net/web-security/cross-site-scripting/cheat-sheet And found that the oncontentvisibilityautostatechange= attribute isn't detected. PS. there seems to also be another even more lax sanitizer here, but I wasn't able to figure out where it is used: https://github.com/novuhq/novu/blob/next/packages/framework/src/utils/sanitize.utils.ts

PoC

  1. Create a new workflow and add an Email step
  2. In the body, write the following HTML code:
<a oncontentvisibilityautostatechange="alert(window.origin)" style="display:block;content-visibility:auto">
  1. Wait a second and notice the XSS popup showing the current origin:

image https://dashboard.novu.co/env/dev_env_gVtdgDEhgf1CetwX/workflows/onboarding-demo-workflow_wf_gVtdh2uV0h7j3ffK/steps/email-step_st_gVtqdgIrOkYVvP9F/editor

Impact

This may look like a Self-XSS similar to https://github.com/novuhq/novu/security/advisories/GHSA-w8vm-jx29-52fr, but it can be more impactful. First of all, if multiple users can access this dashboard, the link above can directly bring the to the email step editor to trigger the XSS. An attacker can also use the Google/GitHub OAuth flows without completing the code callback step, and send that URL to the victim to intentionally log the vicitm into the attacker's account. If the attacker has prepared an XSS payload there, they will now be allowed to view it, so it triggers.

SourceNVD

Apparenté JavaScript Vulnérabilités:

Identifiant CVE

Sévérité

Score

Technologies

Nom du composant

Exploit CISA KEV

A corrigé

Date de publication

CVE-2026-39884HIGH8.3
  • JavaScriptJavaScript
  • mcp-server-kubernetes
NonOuiApr 15, 2026
GHSA-26wg-9xf2-q495HIGH8.1
  • JavaScriptJavaScript
  • novu/api
NonOuiApr 14, 2026
CVE-2026-33806HIGH7.5
  • JavaScriptJavaScript
  • fastify
NonOuiApr 15, 2026
GHSA-43fj-qp3h-hrh5MEDIUM6.9
  • JavaScriptJavaScript
  • @sync-in/server
NonOuiApr 15, 2026
CVE-2026-40346MEDIUM6.4
  • JavaScriptJavaScript
  • @nocobase/plugin-workflow-request
NonOuiApr 15, 2026

Évaluation gratuite des vulnérabilités

Évaluez votre posture de sécurité dans le cloud

Évaluez vos pratiques de sécurité cloud dans 9 domaines de sécurité pour évaluer votre niveau de risque et identifier les failles dans vos défenses.

Demander une évaluation

Ressources Wiz supplémentaires

PEACH

PEACH

Un cadre d’isolation des locataires

Obtenez une démo personnalisée

Prêt(e) à voir Wiz en action ?

"La meilleure expérience utilisateur que j’ai jamais vue, offre une visibilité totale sur les workloads cloud."
David EstlickRSSI
"Wiz fournit une interface unique pour voir ce qui se passe dans nos environnements cloud."
Adam FletcherChef du service de sécurité
"Nous savons que si Wiz identifie quelque chose comme critique, c’est qu’il l’est réellement."
Greg PoniatowskiResponsable de la gestion des menaces et des vulnérabilités
Demander une démo