CVE-2026-5301 Overview
CVE-2026-5301 is a stored Cross-Site Scripting (XSS) vulnerability [CWE-79] affecting CoolerControl's coolercontrold daemon and its coolercontrol-ui web interface in versions prior to 4.0.0. The flaw resides in the log viewer component implemented in AppInfoView.vue, which renders log entries without proper output encoding. An attacker who can influence log content can inject malicious JavaScript that executes in the browser of any user viewing the logs. According to the advisory, unauthenticated attackers can poison log entries and ultimately take over the service.
Critical Impact
Unauthenticated attackers can inject JavaScript into log entries that executes in administrator browsers, enabling full takeover of the CoolerControl service.
Affected Products
- CoolerControl coolercontrold versions prior to 4.0.0
- CoolerControl coolercontrol-ui versions prior to 4.0.0
- CoolerControl releases 2.0.0 through 3.1.1 (vulnerable AppInfoView.vue log viewer)
Discovery Timeline
- 2026-04-08 - CVE-2026-5301 published to NVD
- 2026-04-16 - Last updated in NVD database
Technical Details for CVE-2026-5301
Vulnerability Analysis
The vulnerability is a stored XSS issue in the CoolerControl Vue.js single-page application. The log viewer in coolercontrol-ui/src/views/AppInfoView.vue renders log entries from the coolercontrold daemon without sanitizing or escaping HTML and script content. When an attacker can influence what gets written into the log stream, that content is later rendered as live DOM in an administrator's browser session.
Because the user interface runs with the privileges of the authenticated CoolerControl operator, injected JavaScript inherits access to the application's API session. This allows the attacker to modify fan and pump configurations, exfiltrate session data, or pivot to other browser-accessible resources on the host. The advisory states that exploitation leads to service takeover.
Root Cause
The root cause is improper neutralization of input during web page generation. The vulnerable code paths referenced at AppInfoView.vue line 224 in 2.0.0 and line 350 in 3.1.1 render log strings as raw HTML rather than text. Any HTML tags, including <script> and event-handler attributes, are interpreted by the browser when the log view is opened.
Attack Vector
The attack requires a remote attacker to poison a log entry that CoolerControl will later display. The exact ingestion path depends on the deployment, but the daemon logs operational data accessible to network-reachable inputs without authentication. When an administrator subsequently opens the application info or log viewer in the web UI, the injected payload executes in their browser session and can issue authenticated API calls to coolercontrold. Vendor source references are available in the GitLab Code Blob 2.0.0 and GitLab Code Blob 3.1.1 views.
No verified public proof-of-concept code is available. Exploitation conceptually involves placing an HTML or script payload into any input the daemon writes verbatim to its log, then waiting for an operator to load the log view.
Detection Methods for CVE-2026-5301
Indicators of Compromise
- Log entries containing HTML tags such as <script>, <img onerror=, <svg onload=, or javascript: URIs in coolercontrold log files
- Unexpected outbound HTTP requests originating from administrator browsers immediately after opening the CoolerControl UI
- Unauthorized configuration changes to fan curves, pump profiles, or device settings without a corresponding operator action
Detection Strategies
- Inspect persisted CoolerControl logs for HTML or JavaScript syntax that should never appear in operational telemetry
- Monitor the coolercontrold API for configuration mutations that do not correlate with legitimate authenticated sessions
- Apply web content security policy violation reporting on the coolercontrol-ui origin to surface inline script execution attempts
Monitoring Recommendations
- Forward coolercontrold logs to a central log platform and alert on regex matches for common XSS payload markers
- Track the installed CoolerControl version across hosts and flag any instance running below 4.0.0
- Audit network exposure of the CoolerControl web interface and restrict it to trusted management segments
How to Mitigate CVE-2026-5301
Immediate Actions Required
- Upgrade CoolerControl to version 4.0.0 or later, which addresses the log viewer rendering issue
- Restrict network access to the coolercontrold web interface so only trusted administrators can reach it
- Review existing log files for embedded HTML or script payloads before opening them in the upgraded UI
Patch Information
The issue is fixed in CoolerControl 4.0.0. Refer to the GitLab Release 4.0.0 notes for the official remediation. Administrators should upgrade both the coolercontrold daemon and the coolercontrol-ui package to the same fixed version.
Workarounds
- Bind coolercontrold to localhost only and access the UI through an authenticated reverse proxy or SSH tunnel
- Avoid opening the application info or log viewer pages until the upgrade is applied
- Rotate any credentials or API tokens that may have been accessible to a browser session that loaded poisoned logs
# Configuration example: verify installed version and upgrade
coolercontrold --version
# Debian/Ubuntu package upgrade
sudo apt update && sudo apt install --only-upgrade coolercontrol coolercontrold
# Confirm the fixed version is running
systemctl restart coolercontrold
coolercontrold --version # expect 4.0.0 or later
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
