CVE-2026-40028

MEDIUM 5.4

Hayabusa < 3.8.0 XSS via JSON Log Import

CVSS Score

5.4

EPSS Score

0.0%

EPSS Percentile

9th

Hayabusa versions prior to 3.8.0 contain a cross-site scripting (XSS) vulnerability in its HTML report output that allows an attacker to execute arbitrary JavaScript when a user scans JSON-exported logs containing malicious content in the Computer field. An attacker can inject JavaScript into the Computer field of JSON logs that executes in the forensic examiner's browser session when viewing the generated HTML report, leading to information disclosure or code execution.

CWE	CWE-79
Vendor	yamato-security
Product	hayabusa
Published	Apr 8, 2026
Last Updated	Apr 11, 2026

Stay Ahead of the Next One

Get instant alerts for yamato-security hayabusa

Be the first to know when new medium vulnerabilities affecting yamato-security hayabusa are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

Required

Scope

Changed

Confidentiality

Low

Integrity

Low

Availability

None

Affected Versions

Yamato-Security / hayabusa

0 ≤ 3.7.0

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/Yamato-Security/hayabusa/releases/tag/v3.8.0 mobasi.ai: https://mobasi.ai/sentinel vulncheck.com: https://www.vulncheck.com/advisories/hayabusa-xss-via-json-log-import

Credits

Mobasi Security Team