CVE-2026-22674
4.8
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N
Summary
Hashgraph Guardian through 3.6.0, fixed in commit ba8c566, contains a stored cross-site scripting vulnerability that allows authenticated users with the STANDARD_REGISTRY role to inject malicious scripts by submitting a crafted companyName value via the branding configuration API endpoint. Attackers can exploit the unsanitized innerHTML assignment in the branding service to execute arbitrary JavaScript in the browser of every authenticated user on every page load.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| hashgraph | guardian | 0 <= 3.6.0 | affected |
| hashgraph | guardian | ba8c566807848cf84360716438056d8d8d2c8362 | unaffected |
Weaknesses
- CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
ADP Enrichment
CISA ADP Vulnrichment
- SSVC:
- Exploitation: none
- Automatable: no
- Technical Impact: partial
References
- https://github.com/hashgraph/guardian/pull/6190
- https://github.com/hashgraph/guardian/commit/ba8c566807848cf84360716438056d8d8d2c8362
- https://www.vulncheck.com/advisories/hashgraph-guardian-stored-xss-via-branding-companyname-field
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.