CVE-2026-24710

Vulnerability

Northern.tech CFEngine Enterprise Mission Portal contains multiple injection flaws, including cross-site scripting (XSS), due to missing input sanitization and improper output escaping [1]. The vulnerability affects versions 3.26.0, 3.24.2, 3.21.7, and earlier [1]. It requires an authenticated user to trigger the injection, e.g., by visiting a crafted page [1].

Exploitation

An attacker with a valid user account can craft a payload that is not sanitized, often as part of a request. When an administrator or other user visits a page displaying the injected content, the malicious JavaScript executes in their browser [1]. The blog also notes that command injection and blind SQL injection are possible through similar unsanitized inputs, though the XSS vector is the focus of this CVE [1].

Impact

Successful XSS allows the attacker to execute arbitrary JavaScript in the context of the victim's session, potentially leading to session hijacking, data exfiltration, or further administrative actions [1]. Other injection types may enable running shell commands on the hub or extracting information via timing-based methods, expanding the compromise beyond browser-level access [1].

Mitigation

Upgrade to CFEngine Enterprise 3.27.0, 3.24.3, 3.21.8, or later to remediate the issue [1]. There is no known workaround; the vendor recommends following the official upgrade documentation [1].