CVE-2026-42224 Overview
CVE-2026-42224 is a Cross-Site Scripting (XSS) vulnerability in ipl/web, a set of common web components used by PHP projects including Icinga Web. Versions prior to 0.13.1 allow an attacker to inject malicious JavaScript that executes in a victim's browser within the context of Icinga Web. Successful exploitation requires the victim to visit a specifically crafted website. The flaw is tracked under CWE-79 and has been patched in ipl/web version 0.13.1.
Critical Impact
An attacker can execute arbitrary JavaScript in the context of Icinga Web, enabling session hijacking, credential theft, and unauthorized actions on behalf of the authenticated user.
Affected Products
- ipl/web versions prior to 0.13.1
- Icinga Web deployments that depend on vulnerable ipl/web releases
- PHP web applications consuming the ipl/web component library
Discovery Timeline
- 2026-05-08 - CVE-2026-42224 published to NVD
- 2026-05-13 - Last updated in NVD database
Technical Details for CVE-2026-42224
Vulnerability Analysis
The vulnerability resides in how ipl/web handles HTTP responses for multipart content used by Icinga Web's asynchronous UI updates. The library generated a custom X-Icinga-Multipart-Content boundary header but did not explicitly set a corresponding Content-Type. As a result, a browser could perform content sniffing and interpret a response as HTML, executing attacker-controlled markup and JavaScript in the application's origin.
Because the script runs in the Icinga Web context, an attacker can read session data, perform privileged actions, exfiltrate dashboard contents, or pivot into the monitored infrastructure exposed through Icinga. Exploitation requires user interaction — the victim must visit a prepared page — and elevated privileges on the application side, which keeps the attack complexity high while still permitting full confidentiality, integrity, and availability impact within the application scope.
Root Cause
The root cause is missing Content-Type enforcement on multipart responses produced by CompatController.php. Without a strict media type, browser MIME sniffing can promote attacker-influenced response parts to executable HTML, satisfying the conditions for stored or reflected XSS [CWE-79].
Attack Vector
The attack is delivered over the network. An attacker lures an authenticated Icinga Web user to a malicious page, which triggers a request flow causing the vulnerable response to render in the victim's browser. The injected script then executes with the privileges of the active Icinga Web session.
}
} else {
$partSeparator = base64_encode(random_bytes(16));
- $this->getResponse()->setHeader('X-Icinga-Multipart-Content', $partSeparator);
+ $this->getResponse()
+ ->setHeader('X-Icinga-Multipart-Content', $partSeparator)
+ ->setHeader('Content-Type', 'application/vnd.icinga+multipart', True);
$this->document->setSeparator("\n$partSeparator\n");
$this->document->add($this->parts);
Source: Icinga/ipl-web commit f387e92. The patch explicitly sets Content-Type: application/vnd.icinga+multipart, preventing browsers from MIME-sniffing the response into executable HTML.
Detection Methods for CVE-2026-42224
Indicators of Compromise
- Unexpected outbound requests from browsers immediately after loading Icinga Web pages, suggesting script-based data exfiltration.
- Icinga Web responses returning multipart payloads without an explicit Content-Type: application/vnd.icinga+multipart header.
- Anomalous DOM modifications or new <script> elements observed during user sessions in Icinga Web.
Detection Strategies
- Inventory PHP dependencies and flag any project pulling ipl/web at a version below 0.13.1.
- Inspect HTTP response headers on Icinga Web endpoints for missing Content-Type values on multipart responses.
- Review web server and reverse proxy logs for requests originating from unusual referrers that triggered authenticated multipart responses.
Monitoring Recommendations
- Enable and monitor Content Security Policy (CSP) violation reports for the Icinga Web origin to surface injected script execution.
- Alert on authenticated Icinga Web sessions performing unusual API calls, configuration changes, or rapid sequential actions.
- Capture browser telemetry or WAF logs for response bodies containing executable HTML returned with non-standard or missing media types.
How to Mitigate CVE-2026-42224
Immediate Actions Required
- Upgrade ipl/web to version 0.13.1 or later across all PHP projects, including Icinga Web deployments.
- Audit installed Icinga modules that depend on ipl/web and rebuild composer lockfiles to ensure the patched version is pulled in transitively.
- Invalidate active Icinga Web sessions after patching to remove any session tokens that may have been targeted.
Patch Information
The fix is included in ipl/web release v0.13.1 and tracked in GitHub Security Advisory GHSA-55wf-5m3q-6jjf. The patch adds an explicit Content-Type header to multipart responses in src/Compat/CompatController.php, eliminating the MIME-sniffing condition that enabled script execution.
Workarounds
- If immediate upgrade is not possible, deploy a reverse proxy rule to enforce X-Content-Type-Options: nosniff on all Icinga Web responses to block browser MIME sniffing.
- Restrict access to Icinga Web to trusted networks or VPNs to reduce exposure to malicious externally hosted pages.
- Enforce a strict Content Security Policy that disallows inline scripts and limits script sources to trusted origins.
# Update ipl/web to the patched release via Composer
composer require ipl/web:^0.13.1
composer update ipl/web
# Verify the installed version
composer show ipl/web | grep versions
# Optional: enforce nosniff at the web server layer (nginx)
# add to server or location block serving Icinga Web
add_header X-Content-Type-Options "nosniff" always;
: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
