Dismissed
(max. allowed matches exceeded)
Permalink
CVE-2026-55437
5.4 MEDIUM
- CVSS version (CVSS): 3.1
- Attack Vector (AV): Network (N)
- Attack Complexity (AC): Low (L)
- Privileges Required (PR): Low (L)
- User Interaction (UI): Required (R)
- Scope (S): Changed (C)
- Confidentiality (C): Low (L)
- Integrity (I): Low (L)
- Availability (A): None (N)
- Modified Attack Vector (MAV): Network (N)
- Modified Attack Complexity (MAC): Low (L)
- Modified Privileges Required (MPR): Low (L)
- Modified User Interaction (MUI): Required (R)
- Modified Confidentiality (MC): Low (L)
- Modified Scope (MS): Changed (C)
- Modified Integrity (MI): Low (L)
- Modified Availability (MA): None (N)
Activity log
- Created & dismissed (max. allowed matches exceeded) suggestion
Coder vulnerable to stored HTML injection via workspace agent logs in AgentLogLine component
Coder allows organizations to provision remote development environments via Terraform. Prior to versions 2.29.17, 2.32.7, 2.33.8, and 2.34.2, the `AgentLogLine` dashboard component instantiated `ansi-to-html` without `escapeXML: true` and inserted the result via `dangerouslySetInnerHTML` so HTML embedded in workspace agent log lines was rendered as live markup. Server-side sanitization did not neutralize HTML metacharacters. Exploitation requires a victim to view attacker-controlled agent logs in the dashboard. The fix in versions 2.29.17, 2.32.7, 2.33.8, and 2.34.2 enables `escapeXML: true` so HTML metacharacters are escaped before DOM insertion. No known workarounds are available.
References
-
https://github.com/coder/coder/security/advisories/GHSA-7qw2-f75v-62f7 x_refsource_CONFIRM
-
https://github.com/coder/coder/pull/25808 x_refsource_MISC
-
https://github.com/coder/coder/releases/tag/v2.29.17 x_refsource_MISC
-
https://github.com/coder/coder/releases/tag/v2.32.7 x_refsource_MISC
-
https://github.com/coder/coder/releases/tag/v2.33.8 x_refsource_MISC
-
https://github.com/coder/coder/releases/tag/v2.34.2 x_refsource_MISC
Affected products
coder
- ==>= 2.33.0, < 2.33.8
- ==>= 2.30.0, < 2.32.7
- ==< 2.29.17
- ==>= 2.34.0, < 2.34.2