Description
STIG Manager is an API and web client for managing Security Technical Implementation Guides (STIG) assessments of Information Systems. Versions 1.5.10 through 1.6.7 have a reflected Cross-Site Scripting (XSS) vulnerability in the OIDC authentication error handling code in `src/init.js` and `public/reauth.html`. During the OIDC redirect flow, the `error` and `error_description` query parameters returned by the OIDC provider are written directly to the DOM via `innerHTML` without HTML escaping. An attacker who can craft a malicious redirect URL and convince a user to follow it can execute arbitrary JavaScript in the application's origin context. The vulnerability is most severe when the targeted user has an active STIG Manager session running in another browser tab — injected code executes in the same origin and can communicate with the SharedWorker managing the active access token, enabling authenticated API requests on behalf of the victim including reading and modifying collection data. The vulnerability is patched in version 1.6.8. There is no workaround short of upgrading. Deployments behind a web application firewall that filters reflected XSS payloads in query parameters may have partial mitigation, but this is not a substitute for patching.
INFO
Published Date :
2026-04-23T00:40:23.187Z
Last Modified :
2026-04-23T13:59:46.539Z
Source :
GitHub_M
AFFECTED PRODUCTS
The following products are affected by CVE-2026-41200 vulnerability.
| Vendors | Products |
|---|---|
| Nuwcdivnpt |
|
REFERENCES
Here, you will find a curated list of external links that provide in-depth information to CVE-2026-41200.
