CVE-2026-48788: Remark42: Cross-Site Scripting (XSS) on /api/v1/img via content-type spoofing
Remark42 is a self-hosted comment engine for blogs, articles, or any other place where readers can add comments. Versions 1.6.0 through 1.15.0 contain a Cross-Site Scripting (XSS) vulnerability exploitable through content-type spoofing. The Remark42 image proxy fetches an arbitrary remote URL and re-serves the response from Remark42's own origin. During the download phase, the proxy determines whether the resource is an image by inspecting only the Content-Type header advertised by the remote server, never examining the actual bytes; during the serving phase, it instead derives the response Content-Type by sniffing those bytes with http.DetectContentType. An attacker can exploit this inconsistency by hosting a URL that advertises Content-Type: image/png while returning an HTML/JavaScript body: the download check accepts it as an image, the serving path sniffs the body and emits Content-Type: text/html, and the browser renders the attacker-controlled HTML/JavaScript as a document within Remark42's origin. Exploitation requires no Remark42 account on the target instance; the attacker only needs to host the malicious upstream URL and deliver the proxy link to a victim by any means, such as email, direct message, or a link on another website. This issue has been fixed in version 1.16.0.
Metrics
- CVSS v3.0
- 8.2
- Severity
- HIGH
- Fixed in
- —
- Affected Products
- 1
HarborGuard Analysis
Synopsis
A stored cross-site scripting (XSS) vulnerability exists in Remark42, a self-hosted comment engine, affecting versions 1.6.0 through 1.15.0. The flaw is in the image proxy endpoint (/api/v1/img), which accepts a remote URL if it advertises an image Content-Type header, then re-serves the response using byte-sniffed Content-Type detection; an attacker can exploit this mismatch to have the browser render attacker-controlled HTML and JavaScript within Remark42's own origin. No account on the target instance is required, and a successful attack allows the attacker to run arbitrary scripts in the victim's browser session, enabling session hijacking and limited content tampering. A patched-image rebuild at version 1.16.0 is available on HarborGuard for affected environments.
HarborGuard Coverage
Detection of CVE-2026-48788 is available across every HarborGuard environment: the CVE is ingested from upstream advisory feeds within minutes of publication and matched against all customer images, including custom-built images derived from umputun/remark42 base layers. Any image layer carrying an affected version (1.6.0 through 1.15.0) is flagged automatically at scan time, with no manual configuration required.
AvailableHarborGuard surfaces this CVE with its CVSS v3.0 score of 8.2 (HIGH) and applies per-environment compliance policy weighting to prioritize it appropriately relative to each organization's risk thresholds. Findings are routed to the configured team inbox for each customer org, so the right people see the alert without manual filtering.
AvailableA patched-image rebuild at version 1.16.0 is available on HarborGuard for any environment running an affected version of Remark42. For customers who opt into auto-remediation, HarborGuard performs the rebuild, runs a regression test suite against the new image, and opens a pull request against the affected workloads automatically.
Pending upstreamExploit Conditions
- Network reachabilityRequired
The attacker must be able to reach the Remark42 image proxy endpoint over the network, and the victim must load the crafted proxy URL from a browser.
- AuthenticationNot required
No Remark42 account or credentials are needed; the image proxy endpoint is accessible without authentication.
- Victim interactionRequired
The victim must click or otherwise load the attacker-supplied proxy link, typically delivered via email, direct message, or an external website.
- Attack complexityDetail
The exploit is reliable and condition-free: the attacker only needs to control a remote URL that returns an HTML/JavaScript body while advertising an image Content-Type header, a straightforward setup with no race conditions or environment-specific dependencies.
Blast Radius
- Attacker-controlled JavaScript executes within Remark42's origin, giving access to the victim's session cookies and authentication tokens for that origin.
- The attacker can read any data accessible to the victim's session, including comment content and any user profile information exposed client-side.
- The attacker can make authenticated requests to the Remark42 API on behalf of the victim, including posting or modifying comments.
How HarborGuard Handles This
Available on HarborGuard: images carrying umputun/remark42 versions 1.6.0 through 1.15.0 are automatically flagged against CVE-2026-48788 within minutes of advisory ingestion, including images rebuilt from this base in customer-internal pipelines. A patched-image rebuild at version 1.16.0 is available for any environment where an affected version is detected. For customers with auto-remediation enabled, HarborGuard triggers the rebuild, executes a regression run against the new image, and opens a pull request against affected workloads; median time from CVE publication to merged patch PR for high-severity issues is around 90 minutes in these environments. Where compliance policy restricts auto-remediation, the finding is queued for manual review with full CVSS context and routing to the appropriate team inbox. Because no upstream fix was listed at the time of initial publication (the fix shipped in 1.16.0), HarborGuard also re-checks the advisory on each ingest cycle to ensure rebuild availability reflects the current upstream state.
- umputun / remark42>= 1.6.0, < 1.16.0
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N