CVE-2026-44371

Open OnDemand suffers from a stored cross-site scripting (XSS) vulnerability in its file browser component. The root cause is that filenames are not properly sanitized before rendering, allowing an attacker to inject arbitrary JavaScript code through specially crafted filenames [1].

Exploitation requires an attacker to have the ability to create or upload files with malicious names on the Open OnDemand instance. When other users browse the file system using the file browser, the crafted filename triggers execution of the injected JavaScript in their browsers. The attack can be performed without elevated privileges, as users can store files in their own directories [1].

Successful exploitation leads to arbitrary JavaScript execution in the context of the victim's session. This can result in theft of authentication tokens, data exfiltration, or other actions performed on behalf of the victim. The vulnerability affects all versions prior to 4.0.11, 4.1.5, and 4.2.2 [1].

The issue has been addressed in versions 4.0.11, 4.1.5, and 4.2.2. Users are advised to upgrade to a fixed version. No workaround is mentioned in the advisory [1].