CVE-2026-45778

Vulnerability

Prior to version 11.0.3, Open XDMoD is vulnerable to a reflected cross-site scripting (XSS) flaw. An authenticated attacker can inject malicious JavaScript into their user profile. This payload can be triggered when a victim visits a specially crafted password reset link, leading to the execution of unsanitized JavaScript in the victim's browser. All deployments of Open XDMoD prior to 11.0.3 are impacted [1].

Exploitation

An authenticated attacker must first inject malicious JavaScript into their Open XDMoD user profile. Subsequently, the attacker abuses the password reset functionality to send an email containing a link to an HTML page to a victim. When the victim visits this link, the injected JavaScript payload is reflected and executed within the victim's browser context [1].

Impact

Successful exploitation allows an attacker to capture credentials and potentially take over an Open XDMoD account. The unsanitized payload executes in the victim's browser, enabling actions such as credential capture and unauthorized account access [1].

Mitigation

The vulnerability was patched in Open XDMoD 11.0.3, released on 2026-05-12 [1]. As a workaround, users can apply the provided patch manually to their installation before upgrading. Instructions for manual patching are available in the references [1].