Skip to content

Commit 9e861a2

Browse files
advisory-database[bot]advisory-database[bot]
committed
1 parent 0251181 commit 9e861a2

File tree

1 file changed

+137
-0
lines changed

1 file changed

+137
-0
lines changed

advisories/github-reviewed/2026/01/GHSA-gfpw-jgvr-cw4j/GHSA-gfpw-jgvr-cw4j.json

Lines changed: 137 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,137 @@
1+
{
2+
"schema_version": "1.4.0",
3+
"id": "GHSA-gfpw-jgvr-cw4j",
4+
"modified": "2026-01-20T20:52:17Z",
5+
"published": "2026-01-20T20:52:17Z",
6+
"aliases": [
7+
"CVE-2026-22808"
8+
],
9+
"summary": "Fleet Windows MDM endpoint has a Cross-site Scripting vulnerability",
10+
"details": "### Impact\n\nIf Windows MDM is enabled, an attacker could exploit a cross-site scripting (XSS) vulnerability by convincing an authenticated Fleet user to visit a malicious link. Successful exploitation could allow retrieval of the user’s Fleet authentication token from their browser.\n\nA compromised authentication token may grant administrative access to the Fleet API, allowing an attacker to perform privileged actions such as deploying scripts to managed hosts.\n\nThis issue does not allow unauthenticated access and does not affect instances where Windows MDM is disabled.\n\n### Patches\n\n- 4.78.2\n- 4.77.1\n- 4.76.2\n- 4.75.2\n- 4.53.3\n\n### Workarounds\n\nIf an immediate upgrade is not possible, affected Fleet users should temporarily disable Windows MDM.\n\n### For more information\n\nIf you have any questions or comments about this advisory:\n\nEmail us at [security@fleetdm.com](mailto:security@fleetdm.com)\nJoin #fleet in [osquery Slack](https://join.slack.com/t/osquery/shared_invite/zt-h29zm0gk-s2DBtGUTW4CFel0f0IjTEw)",
11+
"severity": [
12+
{
13+
"type": "CVSS_V4",
14+
"score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"
15+
}
16+
],
17+
"affected": [
18+
{
19+
"package": {
20+
"ecosystem": "Go",
21+
"name": "github.com/fleetdm/fleet"
22+
},
23+
"ranges": [
24+
{
25+
"type": "ECOSYSTEM",
26+
"events": [
27+
{
28+
"introduced": "4.78.0"
29+
},
30+
{
31+
"fixed": "4.78.2"
32+
}
33+
]
34+
}
35+
]
36+
},
37+
{
38+
"package": {
39+
"ecosystem": "Go",
40+
"name": "github.com/fleetdm/fleet"
41+
},
42+
"ranges": [
43+
{
44+
"type": "ECOSYSTEM",
45+
"events": [
46+
{
47+
"introduced": "4.77.0"
48+
},
49+
{
50+
"fixed": "4.77.1"
51+
}
52+
]
53+
}
54+
]
55+
},
56+
{
57+
"package": {
58+
"ecosystem": "Go",
59+
"name": "github.com/fleetdm/fleet"
60+
},
61+
"ranges": [
62+
{
63+
"type": "ECOSYSTEM",
64+
"events": [
65+
{
66+
"introduced": "4.76.0"
67+
},
68+
{
69+
"fixed": "4.76.2"
70+
}
71+
]
72+
}
73+
]
74+
},
75+
{
76+
"package": {
77+
"ecosystem": "Go",
78+
"name": "github.com/fleetdm/fleet"
79+
},
80+
"ranges": [
81+
{
82+
"type": "ECOSYSTEM",
83+
"events": [
84+
{
85+
"introduced": "4.75.0"
86+
},
87+
{
88+
"fixed": "4.75.2"
89+
}
90+
]
91+
}
92+
]
93+
},
94+
{
95+
"package": {
96+
"ecosystem": "Go",
97+
"name": "github.com/fleetdm/fleet/v4"
98+
},
99+
"ranges": [
100+
{
101+
"type": "ECOSYSTEM",
102+
"events": [
103+
{
104+
"introduced": "0"
105+
},
106+
{
107+
"fixed": "4.43.5-0.20260111020427-0e6c790803d1"
108+
}
109+
]
110+
}
111+
]
112+
}
113+
],
114+
"references": [
115+
{
116+
"type": "WEB",
117+
"url": "https://github.com/fleetdm/fleet/security/advisories/GHSA-gfpw-jgvr-cw4j"
118+
},
119+
{
120+
"type": "WEB",
121+
"url": "https://github.com/fleetdm/fleet/commit/0e6c790803d1b4407c5b4b41a67a37864a3d3573"
122+
},
123+
{
124+
"type": "PACKAGE",
125+
"url": "https://github.com/fleetdm/fleet"
126+
}
127+
],
128+
"database_specific": {
129+
"cwe_ids": [
130+
"CWE-79"
131+
],
132+
"severity": "HIGH",
133+
"github_reviewed": true,
134+
"github_reviewed_at": "2026-01-20T20:52:17Z",
135+
"nvd_published_at": null
136+
}
137+
}

0 commit comments

Comments
 (0)