CVE-2026-41200 Overview
CVE-2026-41200 is a reflected Cross-Site Scripting (XSS) vulnerability in STIG Manager, an API and web client used for managing Security Technical Implementation Guides (STIG) assessments of Information Systems. The vulnerability exists in the OIDC authentication error handling code within src/init.js and public/reauth.html. During the OIDC redirect flow, the error and error_description query parameters returned by the OIDC provider are written directly to the DOM via innerHTML without proper HTML escaping, allowing attackers to inject and execute arbitrary JavaScript.
Critical Impact
An attacker who crafts a malicious redirect URL and convinces a user to follow it can execute arbitrary JavaScript in the application's origin context. When the targeted user has an active STIG Manager session running in another browser tab, injected code can communicate with the SharedWorker managing the active access token, enabling authenticated API requests on behalf of the victim including reading and modifying collection data.
Affected Products
- STIG Manager versions 1.5.10 through 1.6.7
Discovery Timeline
- 2026-04-23 - CVE CVE-2026-41200 published to NVD
- 2026-04-23 - Last updated in NVD database
Technical Details for CVE-2026-41200
Vulnerability Analysis
This reflected XSS vulnerability (CWE-79) occurs in the OIDC authentication error handling pathway of STIG Manager. The application's front-end code in src/init.js and public/reauth.html processes error responses from the OIDC identity provider during the authentication redirect flow. The vulnerability arises because the error and error_description query parameters are directly inserted into the page DOM using the innerHTML property without any HTML encoding or sanitization.
This implementation allows an attacker to craft a malicious URL containing JavaScript payloads in these parameters. When a victim clicks the malicious link, the browser parses the injected content as legitimate HTML/JavaScript and executes it within the application's origin context.
Root Cause
The root cause is improper input validation and output encoding in the OIDC error handling code. The application trusts and directly renders user-controllable input (query parameters) without sanitization. Using innerHTML to insert untrusted data creates a direct pathway for script injection. The vulnerability is compounded by the application's architecture, which uses a SharedWorker to manage authentication tokens across browser tabs, making the impact of successful exploitation significantly more severe.
Attack Vector
The attack requires network access and user interaction. An attacker must craft a malicious URL that appears to be a legitimate OIDC redirect from the identity provider but includes XSS payloads in the error or error_description query parameters. Social engineering techniques such as phishing emails or malicious links embedded in forums or documents can be used to trick users into clicking the crafted URL.
Once the victim navigates to the malicious URL, the injected JavaScript executes in the context of the STIG Manager application origin. If the victim has an active authenticated session in another browser tab, the malicious script can interact with the SharedWorker managing the access token, enabling the attacker to make authenticated API calls. This allows reading, modifying, or deleting STIG assessment data on behalf of the victim.
The vulnerability mechanism involves unsafe DOM manipulation where OIDC error parameters from the URL query string are extracted and passed directly to innerHTML for rendering error messages to the user. Proper remediation requires using safe DOM methods such as textContent or implementing HTML entity encoding before insertion.
Detection Methods for CVE-2026-41200
Indicators of Compromise
- Unusual URL patterns containing HTML or JavaScript code in the error or error_description query parameters of OIDC callback endpoints
- Web server access logs showing requests to /reauth.html or authentication endpoints with encoded script tags in query strings
- Client-side monitoring detecting unexpected DOM modifications or script execution following OIDC redirects
Detection Strategies
- Implement Content Security Policy (CSP) headers to restrict inline script execution and report violations
- Deploy web application firewall (WAF) rules to detect and block reflected XSS payloads in query parameters
- Enable browser-based XSS auditors and monitor for triggered alerts in security logging infrastructure
Monitoring Recommendations
- Monitor authentication flow logs for anomalous error responses containing suspicious characters or encoded payloads
- Implement anomaly detection for API requests originating from sessions where OIDC errors were recently processed
- Review access logs for patterns indicating exploitation attempts against authentication endpoints
How to Mitigate CVE-2026-41200
Immediate Actions Required
- Upgrade STIG Manager to version 1.6.8 or later immediately to apply the security patch
- Review access logs for any evidence of exploitation attempts targeting the OIDC error handling endpoints
- Notify users to be cautious of unsolicited links purporting to be STIG Manager authentication flows
- Ensure proper Content Security Policy headers are configured to mitigate impact of potential XSS vulnerabilities
Patch Information
The vulnerability is patched in STIG Manager version 1.6.8. Organizations should upgrade from any affected version (1.5.10 through 1.6.7) to version 1.6.8 or later. For detailed patch information and release notes, refer to the GitHub Security Advisory.
Workarounds
- There is no workaround short of upgrading to the patched version
- Deployments behind a web application firewall (WAF) that filters reflected XSS payloads in query parameters may have partial mitigation, but this is not a substitute for patching
- Implement strict Content Security Policy headers as a defense-in-depth measure while planning the upgrade
# Example CSP header configuration for partial mitigation (not a substitute for patching)
# Add to your reverse proxy or web server configuration
Content-Security-Policy: default-src 'self'; script-src 'self'; object-src 'none'; base-uri 'self';
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
