CVE-2026-22674

MEDIUM 4.8

Hashgraph Guardian Stored XSS via branding companyName field

CVSS Score

4.8

EPSS Score

0.0%

EPSS Percentile

0th

Hashgraph Guardian through 3.5.0, fixed in commit ba8c566, contains a stored cross-site scripting vulnerability that allows authenticated users with the STANDARD_REGISTRY role to inject malicious scripts by submitting a crafted companyName value via the branding configuration API endpoint. Attackers can exploit the unsanitized innerHTML assignment in the branding service to execute arbitrary JavaScript in the browser of every authenticated user on every page load.

CWE	CWE-79
Vendor	hashgraph
Product	guardian
Published	Jun 18, 2026

Stay Ahead of the Next One

Get instant alerts for hashgraph guardian

Be the first to know when new medium vulnerabilities affecting hashgraph guardian are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

High

User Interaction

Required

Scope

Changed

Confidentiality

Low

Integrity

Low

Availability

None

Affected Versions

hashgraph / guardian

0 ≤ 3.6.0

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/hashgraph/guardian/pull/6190 github.com: https://github.com/hashgraph/guardian/commit/ba8c566807848cf84360716438056d8d8d2c8362 vulncheck.com: https://www.vulncheck.com/advisories/hashgraph-guardian-stored-xss-via-branding-companyname-field

Credits

Christ Bouchuen