Medium severityOSV Advisory· Published Nov 5, 2024· Updated Jun 17, 2026
CVE-2024-51498
CVE-2024-51498
Description
cobalt is a media downloader that doesn't piss you off. A malicious cobalt instance could serve links with the javascript: protocol, resulting in Cross-site Scripting (XSS) when the user tries to download an item from a picker. This issue has been present since commit 66bac03e, was mitigated in commit 97977efa (correctly configured web instances were no longer vulnerable) and fully fixed in commit c4be1d3a (included in release version 10.2.1). Users are advised to upgrade. Users unable to upgrade should enable a content-security-policy.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
2Patches
Vulnerability mechanics
References
4- github.com/imputnet/cobalt/commit/66bac03e3078e4e781d2d3903c05ad66a883a354nvd
- github.com/imputnet/cobalt/commit/97977efabd92375f270d1818f38de3b0682c2f19nvd
- github.com/imputnet/cobalt/commit/c4be1d3a37b0deb6b6087ec7a815262ac942daf1nvd
- github.com/imputnet/cobalt/security/advisories/GHSA-cm4c-v4cm-3735nvd
News mentions
0No linked articles in our index yet.