CVE-2026-36906

Vulnerability

Overview

A stored cross-site scripting (XSS) vulnerability exists in IoTGateway v3.0.1 (and earlier versions) [2]. The root cause is the failure to sanitize the X-Forwarded-For HTTP header when recording API call logs. The GetRemoteIpAddress method in HttpContextExtention.cs directly returns the value from the X-Forwarded-For header without any validation or encoding [1].

Exploitation

An attacker can craft an HTTP request to any API endpoint of the IoTGateway, setting the X-Forwarded-For header to a malicious payload such as 1.1.1.1<img src=x onerror=alert(1)>. This payload is stored unsanitized in the log database. When an administrator views the log records via the / _Admin/ActionLog/Search or / _Admin/ActionLog/Details pages, the payload is rendered in the browser, leading to execution of arbitrary JavaScript [1].

Impact

Successful exploitation allows an attacker to execute arbitrary JavaScript in the context of the logged-in administrator's session. This can lead to session hijacking, data theft, defacement, or further compromise of the IoTGateway instance. The vulnerability is classified as Medium severity (CVSS 6.1).

Mitigation

As of the publication date, no official patch has been released for IoTGateway v3.0.1. Users are advised to upgrade to a version that properly sanitizes log inputs or to restrict access to the admin log interface as a workaround. The issue was reported on the project's GitHub repository [1].