CVE-2026-50876
Description
Deck9 Input v2.0.1's webhook status UI renders attacker-controlled response bodies as HTML, enabling stored XSS.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Deck9 Input v2.0.1's webhook status UI renders attacker-controlled response bodies as HTML, enabling stored XSS.
Vulnerability
Deck9 Input v2.0.1 stores HTTP response bodies from configured webhooks and later renders them in the submission webhook status UI as HTML [1]. The CallWebhookJob sends the webhook request and stores the response body; FormSessionWebhookResource exposes the stored value to the frontend. Instead of treating the response as inert text, the frontend status component renders it as active HTML [1]. This allows a webhook endpoint controlled by an attacker to return crafted payloads that become stored script content for users viewing the status page [1].
Exploitation
An attacker must first configure a form webhook in Deck9 Input 2.0.1 to point to an attacker-controlled HTTP endpoint [1]. When that endpoint returns a response body containing malicious HTML or script (e.g., an ` tag with an event handler), CallWebhookJob` stores the response. Subsequently, any user who can view submissions and opens the form session webhook status UI will see the stored response rendered as HTML, causing the script to execute in their browser [1]. No special authentication is required beyond being a valid user who can view submissions.
Impact
Successful exploitation results in stored cross-site scripting (XSS) within an authenticated application view [1]. The attacker's controlled webhook response executes in the browser context of a user viewing the affected submission status, granting access to that user's Input session and same-origin application data [1]. This can lead to session hijacking, data theft, or further attacks within the application's security context.
Mitigation
As of the publication date (2026-06-15), no fixed version has been released for Deck9 Input 2.0.1 [1]. The vendor has not announced a patch or workaround. Users should consider disabling the webhook status display feature if possible, or restrict access to the submission status UI to trusted users only. Monitor vendor channels for an update that properly escapes HTML in webhook response bodies.
AI Insight generated on Jun 15, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"The frontend renders the webhook response body as HTML instead of inert text, allowing attacker-controlled content to execute scripts."
Attack vector
An attacker configures a form webhook in Deck9 Input v2.0.1 to point at an attacker-controlled HTTP endpoint. That endpoint returns a response body containing active HTML or script content (e.g., an image tag with an event handler). When a user submits the form, `CallWebhookJob` stores the response body, and later a user viewing the submission webhook status UI sees the stored response rendered as HTML, executing the attacker's payload in the authenticated application context [ref_id=1].
Affected code
The vulnerability resides in `CallWebhookJob`, which stores the webhook response body, and `FormSessionWebhookResource`, which exposes that stored response to the frontend. The frontend status component renders the response as HTML rather than inert text [ref_id=1].
What the fix does
The advisory does not include a published patch. To remediate, the webhook response body must be rendered as inert text (e.g., HTML-encoded) in the frontend status component instead of being interpreted as HTML. The backend should also consider sanitizing or escaping stored webhook responses before serving them to the UI [ref_id=1].
Preconditions
- configThe attacker must control an HTTP endpoint that can be configured as a webhook URL in Deck9 Input v2.0.1.
- authA user with permission to view form submissions must open the submission webhook status UI after the webhook has been delivered.
- inputThe attacker's endpoint must return a response body containing active HTML or script content.
Reproduction
Configure a form webhook in Deck9 Input 2.0.1 to point at an attacker-controlled HTTP endpoint. Make that endpoint return a response body containing a harmless HTML or script marker, such as an image tag with an event handler. Submit the form so CallWebhookJob delivers the webhook and stores the response body. Open the form session webhook status UI as a user who can view submissions. Observe the stored webhook response rendered as HTML in the status tooltip or response view [ref_id=1].
Generated on Jun 15, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
1News mentions
0No linked articles in our index yet.