An issue was discovered in Vaultwarden (formerly Bitwarden_RS) 1.30.3. A stored cross-site scripting (XSS) or, due to the default CSP, HTML injection vulnerability has been discovered in the admin dashboard. This potentially allows an authenticated attacker to inject malicious code into the dashboard, which is then executed or rendered in the context of an administrator's browser when viewing the injected content. However, it is important to note that the default Content Security Policy (CSP) of the application blocks most exploitation paths, significantly mitigating the potential impact.
References
Link | Resource |
---|---|
https://github.com/dani-garcia/vaultwarden/blob/1.30.3/src/static/scripts/admin_users.js#L201 | Product |
https://github.com/dani-garcia/vaultwarden/releases/tag/1.32.0 | Release Notes |
https://www.mgm-sp.com/cve/html-injection-in-vaultwarden | Exploit Third Party Advisory |
Configurations
History
10 Jul 2025, 13:22
Type | Values Removed | Values Added |
---|---|---|
References | () https://github.com/dani-garcia/vaultwarden/blob/1.30.3/src/static/scripts/admin_users.js#L201 - Product | |
References | () https://github.com/dani-garcia/vaultwarden/releases/tag/1.32.0 - Release Notes | |
References | () https://www.mgm-sp.com/cve/html-injection-in-vaultwarden - Exploit, Third Party Advisory | |
CPE | cpe:2.3:a:dani-garcia:vaultwarden:1.30.3:*:*:*:*:*:*:* | |
First Time |
Dani-garcia vaultwarden
Dani-garcia |
18 Mar 2025, 19:15
Type | Values Removed | Values Added |
---|---|---|
CVSS |
v2 : v3 : |
v2 : unknown
v3 : 5.4 |
CWE | CWE-79 |
09 Jan 2025, 18:15
Type | Values Removed | Values Added |
---|---|---|
CVSS |
v2 : v3 : |
v2 : unknown
v3 : unknown |
CWE |
11 Nov 2024, 21:15
Type | Values Removed | Values Added |
---|---|---|
References |
|
14 Sep 2024, 11:47
Type | Values Removed | Values Added |
---|---|---|
New CVE |
Information
Published : 2024-09-13 18:15
Updated : 2025-07-10 13:22
NVD link : CVE-2024-39926
Mitre link : CVE-2024-39926
CVE.ORG link : CVE-2024-39926
JSON object : View
Products Affected
dani-garcia
- vaultwarden
CWE
CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')