Detections
Analytics

CVE-2026-33061

medium

Description

Jexactyl is a customisable game management panel and billing system. Commits after 025e8dbb0daaa04054276bda814d922cf4af58da and before e28edb204e80efab628d1241198ea4f079779cfd inject server-side objects into client-side JavaScript through resources/views/templates/wrapper.blade.php. Using unescaped {!! json_encode(...) !!} without safe encoding flags allows string values to break out of the JavaScript context and be interpreted as HTML/JS by the browser. If any serialized fields contain attacker-controlled content, such as a username, display name, or site config value, a malicious payload will execute arbitrary script for any user viewing the page (stored DOM XSS). This issue has been patched by commit e28edb204e80efab628d1241198ea4f079779cfd.

References

https://github.com/Jexactyl/Jexactyl/security/advisories/GHSA-6xgw-mmmv-57h2

https://github.com/Jexactyl/Jexactyl/commit/e28edb204e80efab628d1241198ea4f079779cfd

Details

Source: Mitre, NVD

Published: 2026-03-20

Updated: 2026-03-30

Risk Information

CVSS v2

Base Score: 5.9

Vector: CVSS2#AV:L/AC:L/Au:M/C:C/I:C/A:N

Severity: Medium

CVSS v3

Base Score: 5.8

Vector: CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:N

Severity: Medium

EPSS

EPSS: 0.00018