CVE-2026-4995

wandb OpenUI Window Message Event index.html cross site scripting

CVSS 5.1 MEDIUMEPSS 0.2%CWE-79 CWE-94

Vexday Risk Score

33Atención

Decisión SSVC (CISA)

Attend

PoC disponible → seguir de cerca

CVSS 5.1EPSS 0.2%KEV nãoPoC públicaNuclei —Metasploit —Patch —

Ciclo de vida

28 mar 2026Publicada en NVD

Recomendación: Planificar corrección próxima — ya existe PoC pública.

A vulnerability was determined in wandb OpenUI up to 1.0. Affected by this vulnerability is an unknown functionality of the file frontend/public/annotator/index.html of the component Window Message Event Handler. This manipulation causes cross site scripting. The attack can be initiated remotely. The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure but did not respond in any way.

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P

Productos afectados

wandb · OpenUI

PoCs públicas encontradas — 1

cve_referencegist.github.com/YLChen-007/899f210b2d78e163d13561bb7f49b4dano verificado

⚠ Recursos públicos, para evaluar la exposición de sistemas que controlas o estás autorizado a probar. Prueba solo con autorización.

¿Quieres saber si tu infraestructura está expuesta a esto?

Hablar con TrueHacking →

Referencias

https://gist.github.com/YLChen-007/899f210b2d78e163d13561bb7f49b4da https://vuldb.com/?ctiid.353882 https://vuldb.com/?id.353882 https://vuldb.com/?submit.778267