Medium severity5.4NVD Advisory· Published Apr 8, 2026· Updated Apr 17, 2026

CVE-2026-40028

Description

Hayabusa versions prior to 3.8.0 contain a cross-site scripting (XSS) vulnerability in its HTML report output that allows an attacker to execute arbitrary JavaScript when a user scans JSON-exported logs containing malicious content in the Computer field. An attacker can inject JavaScript into the Computer field of JSON logs that executes in the forensic examiner's browser session when viewing the generated HTML report, leading to information disclosure or code execution.

Affected products

Yamato Security/Hayabusa
cpe:2.3:a:yamato-security:hayabusa:*:*:*:*:*:*:*:*
Range: <3.8.0

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

mobasi.ai/sentinelnvdThird Party Advisory
www.vulncheck.com/advisories/hayabusa-xss-via-json-log-importnvdThird Party Advisory
github.com/Yamato-Security/hayabusa/releases/tag/v3.8.0nvdRelease Notes

News mentions

No linked articles in our index yet.

cvss	0.351
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000