CVE Catalog

CVE-2026-22674

MediumCVSS 4.8
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.18%

7th percentile — higher than 7% of all known CVEs

Summary

Hashgraph Guardian up to version 3.6.0 contains a stored cross-site scripting (XSS) vulnerability that allows authenticated users with the STANDARD_REGISTRY role to inject malicious scripts by submitting a crafted companyName value via the branding configuration API.

Risk Assessment

Attackers can exploit this vulnerability to execute arbitrary JavaScript in the browsers of all authenticated users, potentially leading to data theft or session hijacking.

Recommendation

It is recommended to upgrade to version 3.6.1 or later to mitigate this vulnerability and to review and validate values submitted through the API to prevent script injections.

Original NVD description (English source)

Hashgraph Guardian through 3.6.0, fixed in commit ba8c566, contains a stored cross-site scripting vulnerability that allows authenticated users with the STANDARD_REGISTRY role to inject malicious scripts by submitting a crafted companyName value via the branding configuration API endpoint. Attackers can exploit the unsanitized innerHTML assignment in the branding service to execute arbitrary JavaScript in the browser of every authenticated user on every page load.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS