Cross-site Scripting (XSS) Affecting wazuh-dashboard-fips package, versions <4.14.4-r2


Severity

Recommended
low

Based on default assessment until relevant scores are available.

Threat Intelligence

EPSS
0.23% (14th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk IDSNYK-CHAINGUARDLATEST-WAZUHDASHBOARDFIPS-16512008
  • published8 May 2026
  • disclosed23 Apr 2026

Introduced: 23 Apr 2026

CVE-2026-41238  (opens in a new tab)
CWE-79  (opens in a new tab)
CWE-1321  (opens in a new tab)

How to fix?

Upgrade Chainguard wazuh-dashboard-fips to version 4.14.4-r2 or higher.

NVD Description

Note: Versions mentioned in the description apply only to the upstream wazuh-dashboard-fips package and not the wazuh-dashboard-fips package as distributed by Chainguard. See How to fix? for Chainguard relevant fixed versions and status.

DOMPurify is a DOM-only cross-site scripting sanitizer for HTML, MathML, and SVG. Versions 3.0.1 through 3.3.3 are vulnerable to a prototype pollution-based XSS bypass. When an application uses DOMPurify.sanitize() with the default configuration (no CUSTOM_ELEMENT_HANDLING option), a prior prototype pollution gadget can inject permissive tagNameCheck and attributeNameCheck regex values into Object.prototype, causing DOMPurify to allow arbitrary custom elements with arbitrary attributes — including event handlers — through sanitization. Version 3.4.0 fixes the issue.

CVSS Base Scores

version 3.1