CVE-2022-42948

CRITICAL 9.8

⚠️ CISA KEV

CVSS Score

9.8

EPSS Score

0.0%

EPSS Percentile

0th

Cobalt Strike 4.7.1 fails to properly escape HTML tags when they are displayed on Swing components. By injecting crafted HTML code, it is possible to remotely execute code in the Cobalt Strike UI.

Vendor	n/a
Product	n/a
Published	Mar 24, 2023
Last Updated	Oct 21, 2025

⚠️ Actively Exploited — Act Now

Get instant alerts for n/a n/a

This vulnerability is actively exploited in the wild. Set up free real-time alerts so you're first to know about threats like CVE-2022-42948.

Get Free Alerts → Free · No credit card · 60 sec setup

Affected Versions

n/a / n/a

n/a

References

NVD ↗ CVE.org ↗ EPSS Data ↗

cobaltstrike.com: https://www.cobaltstrike.com/blog/ redpacketsecurity.com: https://www.redpacketsecurity.com/helpsystems-cobalt-strike-code-execution-cve-2022-42948/ thesecmaster.com: https://thesecmaster.com/how-to-fix-cve-2022-42948-a-critical-rce-vulnerability-in-cobalt-strike/ cisa.gov: https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2022-42948