๐Ÿ” CVE Alert

CVE-2026-55437

MEDIUM 5.4

Coder vulnerable to stored HTML injection via workspace agent logs in AgentLogLine component

CVSS Score
5.4
EPSS Score
0.3%
EPSS Percentile
23th

Coder allows organizations to provision remote development environments via Terraform. Prior to versions 2.29.17, 2.32.7, 2.33.8, and 2.34.2, the `AgentLogLine` dashboard component instantiated `ansi-to-html` without `escapeXML: true` and inserted the result via `dangerouslySetInnerHTML` so HTML embedded in workspace agent log lines was rendered as live markup. Server-side sanitization did not neutralize HTML metacharacters. Exploitation requires a victim to view attacker-controlled agent logs in the dashboard. The fix in versions 2.29.17, 2.32.7, 2.33.8, and 2.34.2 enables `escapeXML: true` so HTML metacharacters are escaped before DOM insertion. No known workarounds are available.

CWE CWE-79
Vendor coder
Product coder
Published Jul 8, 2026
Last Updated Jul 8, 2026
Stay Ahead of the Next One

Get instant alerts for coder coder

Be the first to know when new medium vulnerabilities affecting coder coder are published โ€” delivered to Slack, Telegram or Discord.

Get Free Alerts โ†’ Free ยท No credit card ยท 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None

Affected Versions

coder / coder
>= 2.34.0, < 2.34.2 >= 2.33.0, < 2.33.8 >= 2.30.0, < 2.32.7 < 2.29.17

References

NVD โ†— CVE.org โ†— EPSS Data โ†—
github.com: https://github.com/coder/coder/security/advisories/GHSA-7qw2-f75v-62f7 github.com: https://github.com/coder/coder/pull/25808 github.com: https://github.com/coder/coder/releases/tag/v2.29.17 github.com: https://github.com/coder/coder/releases/tag/v2.32.7 github.com: https://github.com/coder/coder/releases/tag/v2.33.8 github.com: https://github.com/coder/coder/releases/tag/v2.34.2