CVE-2026-55437
MEDIUMCVSS v3.1: 5.4
Source data as of:
At a glance
- Severity
- MEDIUM
- CVSS
- 5.4 v3.1 · NVD
- EPSS
- EPSS not provided by FIRST.org for this CVE
- CISA KEV
- No
- Type
- XSS · NVD CWE
- Attack conditions (CVSS vector)
- Network · Source: NVD Vector
- Published
- 2026-07-08 · Modified: 2026-07-08
- References
- Jump to references (6)
CVSS / EPSS / KEV
Source — CVSS: NVD · EPSS: FIRST.org · KEV: CISA. Data & Sources
Description
Coder allows organizations to provision remote development environments via Terraform. Prior to versions 2.29.17, 2.32.7, 2.33.8, and 2.34.2, the `AgentLogLine` dashboard component instantiated `ansi-to-html` without `escapeXML: true` and inserted the result via `dangerouslySetInnerHTML` so HTML embedded in workspace agent log lines was rendered as live markup. Server-side sanitization did not neutralize HTML metacharacters. Exploitation requires a victim to view attacker-controlled agent logs in the dashboard. The fix in versions 2.29.17, 2.32.7, 2.33.8, and 2.34.2 enables `escapeXML: true` so HTML metacharacters are escaped before DOM insertion. No known workarounds are available.
References
Reference URLs as listed by NVD, grouped by a mechanical match on the link's host/pattern. Labels describe the link type only.
- Reference https://github.com/coder/coder/pull/25808
- Patch https://github.com/coder/coder/releases/tag/v2.29.17
- Patch https://github.com/coder/coder/releases/tag/v2.32.7
- Patch https://github.com/coder/coder/releases/tag/v2.33.8
- Patch https://github.com/coder/coder/releases/tag/v2.34.2
- Vendor advisory https://github.com/coder/coder/security/advisories/GHSA-7qw2-f75v-62f7