Hashgraph Guardian Stored XSS via branding companyName field
Description
Hashgraph Guardian through 3.5.0, fixed in commit ba8c566, contains a stored cross-site scripting vulnerability that allows authenticated users with the STANDARD_REGISTRY role to inject malicious scripts by submitting a crafted companyName value via the branding configuration API endpoint. Attackers can exploit the unsanitized innerHTML assignment in the branding service to execute arbitrary JavaScript in the browser of every authenticated user on every page load.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
2Patches
Vulnerability mechanics
Root cause
"The company name from branding configuration is assigned to the DOM using innerHTML instead of textContent, allowing stored cross-site scripting."
Attack vector
An authenticated user with the STANDARD_REGISTRY role submits a crafted `companyName` value containing HTML or JavaScript payloads through the branding configuration API endpoint. Because the branding service runs from the root app component, the malicious payload is rendered on every page load for every authenticated user. The payload executes in the context of the victim's browser session, enabling data theft, session hijacking, or further malicious actions. [CWE-79]
Affected code
The vulnerability exists in three locations: `frontend/src/app/services/branding.service.ts` line 102 and `frontend/src/app/views/branding/branding.component.ts` lines 222 and 244. All three assign the `companyName` value to the DOM via `.innerHTML` instead of `.textContent`, allowing stored XSS.
What the fix does
The patch replaces `.innerHTML` with `.textContent` at all three affected locations. `textContent` always treats the value as plain text and never interprets HTML or script tags, which prevents any injected payload from executing. Since the company name is never intended to contain markup, this change preserves the intended behavior while closing the XSS vector.
Preconditions
- authAttacker must be authenticated with the STANDARD_REGISTRY role.
- inputAttacker must have access to the branding configuration API endpoint.
- authVictim must be an authenticated user of the application.
Generated on Jun 19, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
3- github.com/hashgraph/guardian/commit/ba8c566807848cf84360716438056d8d8d2c8362mitrepatch
- www.vulncheck.com/advisories/hashgraph-guardian-stored-xss-via-branding-companyname-fieldmitrethird-party-advisory
- github.com/hashgraph/guardian/pull/6190mitreissue-tracking
News mentions
0No linked articles in our index yet.