CVE-2026-5301 Overview
CVE-2026-5301 is a stored Cross-Site Scripting (XSS) vulnerability affecting the log viewer component in CoolerControl/coolercontrol-ui versions prior to 4.0.0. This vulnerability allows unauthenticated attackers to inject malicious JavaScript code through poisoned log entries, which is then executed when the log viewer is accessed by any user. Successful exploitation enables attackers to take over the service, potentially compromising the entire cooling control system.
Critical Impact
Unauthenticated attackers can execute arbitrary JavaScript in the context of any user viewing logs, enabling complete service takeover through malicious log entry injection.
Affected Products
- CoolerControl/coolercontrol-ui versions prior to 4.0.0
- CoolerControl version 2.0.0 (confirmed vulnerable)
- CoolerControl version 3.1.1 (confirmed vulnerable)
Discovery Timeline
- April 8, 2026 - CVE-2026-5301 published to NVD
- April 8, 2026 - Last updated in NVD database
Technical Details for CVE-2026-5301
Vulnerability Analysis
This stored XSS vulnerability exists in the AppInfoView.vue component of the CoolerControl UI. The log viewer fails to properly sanitize user-controlled data before rendering it in the browser, allowing malicious JavaScript to be embedded in log entries. When any user views the logs through the web interface, the injected script executes within their browser session.
The vulnerability is classified under CWE-79 (Improper Neutralization of Input During Web Page Generation), which indicates a failure to sanitize or encode user-controlled input before including it in dynamically generated web content. The attack requires network access and user interaction (viewing the logs), but no authentication is needed to poison the log entries.
Root Cause
The root cause of CVE-2026-5301 lies in improper input sanitization within the log viewer component. The AppInfoView.vue file directly renders log content without encoding or escaping potentially dangerous HTML and JavaScript elements. Log entries from external sources are trusted and inserted into the DOM without validation, creating a persistent XSS attack surface.
Attack Vector
An attacker can exploit this vulnerability by injecting malicious JavaScript into log entries that are processed by the CoolerControl service. Since no authentication is required to poison logs, attackers can craft requests or manipulate data sources that feed into the logging system.
When a legitimate user (such as an administrator) opens the log viewer in the CoolerControl UI, the stored malicious payload executes in their browser context. This enables attackers to steal session tokens, perform actions on behalf of the user, modify system settings, or redirect users to malicious sites—ultimately leading to complete service takeover.
The vulnerability affects the log rendering mechanism in the AppInfoView.vue component. Technical details can be found in the GitLab 2.0.0 Code Review and GitLab 3.1.1 Code Review references. The fix is included in version 4.0.0, with details available in the GitLab 4.0.0 Release Notes.
Detection Methods for CVE-2026-5301
Indicators of Compromise
- Presence of <script> tags, event handlers (e.g., onerror, onload), or encoded JavaScript payloads within log entries
- Unusual outbound network connections originating from the CoolerControl UI during log viewing
- Unexpected session token exfiltration or authentication anomalies from users accessing the log viewer
- Modified system configuration or settings without authorized administrative action
Detection Strategies
- Implement Web Application Firewall (WAF) rules to detect XSS payload patterns in incoming requests that may poison log entries
- Monitor application logs for injection attempts containing HTML tags, JavaScript code, or encoded malicious content
- Deploy browser-based XSS detection mechanisms such as Content Security Policy (CSP) violation reporting
- Utilize SentinelOne's behavioral AI to detect anomalous script execution patterns in web applications
Monitoring Recommendations
- Enable verbose logging and monitor the CoolerControl service for suspicious log entry patterns
- Set up alerts for any <script> tags or JavaScript event handlers appearing in log data
- Regularly audit stored logs for evidence of injection attempts or malicious content
How to Mitigate CVE-2026-5301
Immediate Actions Required
- Upgrade CoolerControl to version 4.0.0 or later immediately to address this vulnerability
- Audit existing log entries for signs of injected malicious content and sanitize if necessary
- Restrict network access to the CoolerControl service to trusted networks or users until patching is complete
- Implement Content Security Policy (CSP) headers to mitigate the impact of any stored XSS payloads
Patch Information
The vulnerability has been addressed in CoolerControl version 4.0.0. Users should upgrade to this version or later to remediate the stored XSS issue. Release details and download information are available in the GitLab 4.0.0 Release Notes.
Workarounds
- Disable or restrict access to the log viewer feature until the patch is applied
- Implement network-level access controls to limit who can reach the CoolerControl UI
- Deploy a reverse proxy with WAF capabilities to filter XSS payloads before they reach the application
- Sanitize existing log data by removing or encoding any HTML or JavaScript content
# Example: Restrict access to CoolerControl UI via firewall
# Allow only trusted IP ranges to access the service
sudo iptables -A INPUT -p tcp --dport 8080 -s 192.168.1.0/24 -j ACCEPT
sudo iptables -A INPUT -p tcp --dport 8080 -j DROP
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
