CVE-2026-42224

HIGH 7.6

ipl/web is vulnerable to reflected XSS by malformed search requests

CVSS Score

7.6

EPSS Score

0.0%

EPSS Percentile

12th

ipl/web is a set of common web components for php projects. Prior to versions 0.13.1 and 0.10.3, the vulnerability allows an attacker to inject malicious Javascript into a victim's browser to run it in the context of Icinga Web. The victim needs to visit a specifically prepared website and may have no immediate chance to notice any wrongdoing. This issue has been patched in versions 0.13.1 and 0.10.3.

CWE	CWE-79
Vendor	icinga
Product	ipl-web
Published	May 8, 2026
Last Updated	Jun 9, 2026

Stay Ahead of the Next One

Get instant alerts for icinga ipl-web

Be the first to know when new high vulnerabilities affecting icinga ipl-web are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

High

Privileges Required

High

User Interaction

Required

Scope

Changed

Confidentiality

High

Integrity

High

Availability

High

Affected Versions

Icinga / ipl-web

>= 0.11.0, < 0.13.1 < 0.10.3

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/Icinga/ipl-web/security/advisories/GHSA-55wf-5m3q-6jjf github.com: https://github.com/Icinga/ipl-web/commit/f387e92504d7a03bb857d1aee9b7410e06dd065d github.com: https://github.com/Icinga/ipl-web/releases/tag/v0.10.3 github.com: https://github.com/Icinga/ipl-web/releases/tag/v0.13.1