CVE-2024-55226: 
Rust vulnerability analysis and mitigation

Vaultwarden v1.32.5 was discovered to contain an authenticated reflected cross-site scripting (XSS) vulnerability via the component /api/core/mod.rs. The vulnerability was identified in November 2024 and assigned CVE-2024-55226. The issue affects the breach check functionality where users could submit usernames that were reflected by the server, potentially allowing for HTML injection (NVD, Insinuator).

The vulnerability is classified as a reflected XSS issue with a CVSS v3.1 Base Score of 5.4 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N. The vulnerability specifically affects the breach check functionality where user-submitted usernames are reflected without proper sanitization. However, the exploitation is limited by the application's content security policy (NVD).

The impact of this vulnerability is limited as it can only be used against oneself (self-XSS) and is further restricted by the application's content security policy. The vulnerability allows for HTML injection but requires user interaction and authenticated access (Insinuator).

The vulnerability was addressed in subsequent releases after version 1.32.5. Users are recommended to upgrade to the latest version of Vaultwarden to receive the security fixes (Github Release).