Home / Vulnerability Intelligence / CVE-2026-34403

CVE-2026-34403 - Vulnerability Analysis

HighCVSS: 8.1

Last Updated: April 22, 2026

Nginx UI - Stored XSS

Published: April 20, 2026Updated: April 22, 2026PoC AvailableRemote Exploitable

Overview

Nginx UI < 2.3.5 contains a stored XSS caused by insecure WebSocket origin checks and cookie handling, letting attackers hijack authenticated WebSocket connections via malicious webpages, exploit requires victim administrator to visit attacker page.

Severity & Score

Severity: High

CVSS Score: 8.1

Impact

Attackers can hijack authenticated WebSocket connections, potentially leading to unauthorized actions as an administrator.

Mitigation

Upgrade to version 2.3.5 or later.

References

https://github.com/0xJacky/nginx-ui/releases/tag/v2.3.5
https://github.com/0xJacky/nginx-ui/security/advisories/GHSA-78mf-482w-62qj

Related Resources

Vulnerability Intelligence Dashboard
Credential Scanner

Details

CVE ID: CVE-2026-34403
Severity: High
CVSS Score: 8.1
Type: stored_xss
Status: confirmed

CWE

CWE-1385

CVSS Metrics

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N