CVE-2026-36728 Overview
CVE-2026-36728 is a markdown-based cross-site scripting (XSS) vulnerability in the AI assistant chat function of FastapiAdmin v2.2.0. Attackers can inject crafted markdown payloads into chat messages to execute arbitrary web scripts or HTML in the context of a victim's browser session. The flaw is classified under [CWE-79] (Improper Neutralization of Input During Web Page Generation).
Exploitation requires low-privileged authenticated access and user interaction with the malicious content. Because the scope changes when the payload renders, an attacker can impact resources beyond the initially vulnerable component, including the victim's authenticated session.
Critical Impact
Authenticated attackers can execute arbitrary JavaScript or HTML in other administrators' browsers through the AI assistant chat, enabling session theft, UI manipulation, and lateral actions within the admin panel.
Affected Products
- FastapiAdmin v2.2.0
- AI assistant chat component within FastapiAdmin v2
- Deployments exposing the FastapiAdmin AI chat interface to multiple users
Discovery Timeline
- 2026-06-09 - CVE-2026-36728 published to NVD
- 2026-06-10 - Last updated in NVD database
Technical Details for CVE-2026-36728
Vulnerability Analysis
The vulnerability resides in the AI assistant chat function of FastapiAdmin v2.2.0. The chat interface accepts markdown-formatted input and renders it to other users without adequately neutralizing embedded HTML or script constructs. When a victim views the rendered chat message, the injected payload executes inside the FastapiAdmin web origin.
Because the AI assistant chat is part of an administrative interface, code execution occurs in a privileged browser context. An attacker can read or manipulate DOM elements, exfiltrate session tokens accessible to JavaScript, trigger authenticated API requests on behalf of the victim, and modify the rendered admin UI. The attack vector is network-based and requires user interaction with the malicious chat content.
The EPSS probability for in-the-wild exploitation is currently low, but the impact within multi-administrator FastapiAdmin deployments remains meaningful given the privileged context of victims.
Root Cause
The root cause is insufficient output encoding and sanitization in the markdown rendering pipeline used by the AI assistant chat. Markdown renderers commonly permit inline HTML by default. Without an allowlist-based sanitizer such as DOMPurify applied to the rendered output, attacker-controlled tags and event handlers reach the DOM intact.
Attack Vector
An authenticated attacker submits a chat message containing a crafted markdown payload that smuggles HTML, <script> tags, or event handlers (for example, onerror on an <img> element) into the assistant conversation. When another authenticated user opens the conversation, the application renders the markdown and the embedded JavaScript executes under the FastapiAdmin origin.
No synthetic exploit code is reproduced here. Technical details and proof-of-concept material are available in the GitHub Vulnerability Report.
Detection Methods for CVE-2026-36728
Indicators of Compromise
- Chat messages stored in the FastapiAdmin AI assistant database containing <script>, javascript: URIs, or HTML event handler attributes such as onerror, onload, or onclick.
- Outbound browser requests from administrator sessions to unfamiliar domains immediately after viewing AI assistant conversations.
- Unexpected fetch or XHR calls to FastapiAdmin API endpoints originating from administrator browsers without corresponding UI actions.
Detection Strategies
- Inspect persisted chat records for markdown content containing raw HTML tags, inline event handlers, or data: and javascript: URI schemes.
- Enable Content Security Policy (CSP) violation reporting to capture inline script execution attempts in the FastapiAdmin UI.
- Review web server and application logs for chat submissions with payload lengths or character sets atypical of normal assistant prompts.
Monitoring Recommendations
- Monitor administrator account activity for actions performed shortly after AI assistant interactions, particularly privilege changes or data exports.
- Alert on browser-originated requests to external hosts from authenticated admin sessions.
- Track CSP report-uri or report-to endpoints for violations tied to the FastapiAdmin origin.
How to Mitigate CVE-2026-36728
Immediate Actions Required
- Restrict access to the FastapiAdmin AI assistant chat to trusted users until a patched version is deployed.
- Audit existing AI assistant chat histories for stored payloads and purge messages containing raw HTML or script content.
- Rotate session tokens and administrator credentials if suspicious chat content is identified.
Patch Information
No vendor patch is referenced in the NVD record at the time of publication. Monitor the GitHub Vulnerability Report and the upstream FastapiAdmin project for a fixed release. Upgrade to the patched version as soon as it becomes available.
Workarounds
- Disable the AI assistant chat feature in FastapiAdmin v2.2.0 until a fix is published.
- Deploy a strict Content Security Policy that forbids inline scripts and restricts script sources to the application origin.
- Place the FastapiAdmin interface behind a reverse proxy that strips dangerous HTML tags and attributes from chat message payloads.
- Configure the markdown renderer to disable raw HTML passthrough and apply allowlist sanitization to rendered output before insertion into the DOM.
# Example reverse proxy CSP header to limit XSS impact
add_header Content-Security-Policy "default-src 'self'; script-src 'self'; object-src 'none'; base-uri 'self'; frame-ancestors 'none'" always;
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
