FKIE_CVE-2026-0824

Vulnerability from fkie_nvd - Published: 2026-01-10 15:15 - Updated: 2026-04-29 01:00
Severity
3.5 (Low) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N
Summary
A security flaw has been discovered in questdb ui up to 1.11.9. Impacted is an unknown function of the component Web Console. The manipulation results in cross site scripting. The attack can be executed remotely. The exploit has been released to the public and may be used for attacks. Upgrading to version 1.1.10 is recommended to address this issue. The patch is identified as b42fd9f18476d844ae181a10a249e003dafb823d. You should upgrade the affected component. The vendor confirmed early that the fix "is going to be released as a part of QuestDB 9.3.0" as well.
References
cna@vuldb.comhttps://github.com/59lab/dbdb/blob/main/There%20is%20a%20cross-site%20scripting(XSS)%20vulnerability%20in%20the%20QuestDB%20database.md
cna@vuldb.comhttps://github.com/questdb/questdb/releases/tag/9.3.0
cna@vuldb.comhttps://github.com/questdb/ui/
cna@vuldb.comhttps://github.com/questdb/ui/commit/b42fd9f18476d844ae181a10a249e003dafb823d
cna@vuldb.comhttps://github.com/questdb/ui/pull/518
cna@vuldb.comhttps://github.com/questdb/ui/pull/519#issue-3790862030
cna@vuldb.comhttps://vuldb.com/?ctiid.340357
cna@vuldb.comhttps://vuldb.com/?id.340357
cna@vuldb.comhttps://vuldb.com/?submit.733253
Impacted products
Vendor Product Version
To clipboard 

{
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "A security flaw has been discovered in questdb ui up to 1.11.9. Impacted is an unknown function of the component Web Console. The manipulation results in cross site scripting. The attack can be executed remotely. The exploit has been released to the public and may be used for attacks. Upgrading to version 1.1.10 is recommended to address this issue. The patch is identified as b42fd9f18476d844ae181a10a249e003dafb823d. You should upgrade the affected component. The vendor confirmed early that the fix \"is going to be released as a part of QuestDB 9.3.0\" as well."
    },
    {
      "lang": "es",
      "value": "Una falla de seguridad ha sido descubierta en questdb ui hasta 1.11.9. Afectada es una funci\u00f3n desconocida del componente Consola Web. La manipulaci\u00f3n resulta en cross site scripting. El ataque puede ser ejecutado remotamente. El exploit ha sido liberado al p\u00fablico y puede ser usado para ataques. Se recomienda actualizar a la versi\u00f3n 1.1.10 para abordar este problema. El parche se identifica como b42fd9f18476d844ae181a10a249e003dafb823d. Deber\u00eda actualizar el componente afectado. El proveedor confirm\u00f3 tempranamente que la correcci\u00f3n \u0027ser\u00e1 lanzada como parte de QuestDB 9.3.0\u0027 tambi\u00e9n."
    }
  ],
  "id": "CVE-2026-0824",
  "lastModified": "2026-04-29T01:00:01.613",
  "metrics": {
    "cvssMetricV2": [
      {
        "acInsufInfo": false,
        "baseSeverity": "MEDIUM",
        "cvssData": {
          "accessComplexity": "LOW",
          "accessVector": "NETWORK",
          "authentication": "SINGLE",
          "availabilityImpact": "NONE",
          "baseScore": 4.0,
          "confidentialityImpact": "NONE",
          "integrityImpact": "PARTIAL",
          "vectorString": "AV:N/AC:L/Au:S/C:N/I:P/A:N",
          "version": "2.0"
        },
        "exploitabilityScore": 8.0,
        "impactScore": 2.9,
        "obtainAllPrivilege": false,
        "obtainOtherPrivilege": false,
        "obtainUserPrivilege": false,
        "source": "cna@vuldb.com",
        "type": "Secondary",
        "userInteractionRequired": false
      }
    ],
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 3.5,
          "baseSeverity": "LOW",
          "confidentialityImpact": "NONE",
          "integrityImpact": "LOW",
          "privilegesRequired": "LOW",
          "scope": "UNCHANGED",
          "userInteraction": "REQUIRED",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 2.1,
        "impactScore": 1.4,
        "source": "cna@vuldb.com",
        "type": "Secondary"
      }
    ],
    "cvssMetricV40": [
      {
        "cvssData": {
          "Automatable": "NOT_DEFINED",
          "Recovery": "NOT_DEFINED",
          "Safety": "NOT_DEFINED",
          "attackComplexity": "LOW",
          "attackRequirements": "NONE",
          "attackVector": "NETWORK",
          "availabilityRequirement": "NOT_DEFINED",
          "baseScore": 2.0,
          "baseSeverity": "LOW",
          "confidentialityRequirement": "NOT_DEFINED",
          "exploitMaturity": "PROOF_OF_CONCEPT",
          "integrityRequirement": "NOT_DEFINED",
          "modifiedAttackComplexity": "NOT_DEFINED",
          "modifiedAttackRequirements": "NOT_DEFINED",
          "modifiedAttackVector": "NOT_DEFINED",
          "modifiedPrivilegesRequired": "NOT_DEFINED",
          "modifiedSubAvailabilityImpact": "NOT_DEFINED",
          "modifiedSubConfidentialityImpact": "NOT_DEFINED",
          "modifiedSubIntegrityImpact": "NOT_DEFINED",
          "modifiedUserInteraction": "NOT_DEFINED",
          "modifiedVulnAvailabilityImpact": "NOT_DEFINED",
          "modifiedVulnConfidentialityImpact": "NOT_DEFINED",
          "modifiedVulnIntegrityImpact": "NOT_DEFINED",
          "privilegesRequired": "LOW",
          "providerUrgency": "NOT_DEFINED",
          "subAvailabilityImpact": "NONE",
          "subConfidentialityImpact": "NONE",
          "subIntegrityImpact": "NONE",
          "userInteraction": "PASSIVE",
          "valueDensity": "NOT_DEFINED",
          "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
          "version": "4.0",
          "vulnAvailabilityImpact": "NONE",
          "vulnConfidentialityImpact": "NONE",
          "vulnIntegrityImpact": "LOW",
          "vulnerabilityResponseEffort": "NOT_DEFINED"
        },
        "source": "cna@vuldb.com",
        "type": "Secondary"
      }
    ]
  },
  "published": "2026-01-10T15:15:50.137",
  "references": [
    {
      "source": "cna@vuldb.com",
      "url": "https://github.com/59lab/dbdb/blob/main/There%20is%20a%20cross-site%20scripting(XSS)%20vulnerability%20in%20the%20QuestDB%20database.md"
    },
    {
      "source": "cna@vuldb.com",
      "url": "https://github.com/questdb/questdb/releases/tag/9.3.0"
    },
    {
      "source": "cna@vuldb.com",
      "url": "https://github.com/questdb/ui/"
    },
    {
      "source": "cna@vuldb.com",
      "url": "https://github.com/questdb/ui/commit/b42fd9f18476d844ae181a10a249e003dafb823d"
    },
    {
      "source": "cna@vuldb.com",
      "url": "https://github.com/questdb/ui/pull/518"
    },
    {
      "source": "cna@vuldb.com",
      "url": "https://github.com/questdb/ui/pull/519#issue-3790862030"
    },
    {
      "source": "cna@vuldb.com",
      "url": "https://vuldb.com/?ctiid.340357"
    },
    {
      "source": "cna@vuldb.com",
      "url": "https://vuldb.com/?id.340357"
    },
    {
      "source": "cna@vuldb.com",
      "url": "https://vuldb.com/?submit.733253"
    }
  ],
  "sourceIdentifier": "cna@vuldb.com",
  "vulnStatus": "Deferred",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-79"
        },
        {
          "lang": "en",
          "value": "CWE-94"
        }
      ],
      "source": "cna@vuldb.com",
      "type": "Secondary"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.





Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.


Detection rules are retrieved from Rulezet.