CVE-2026-33061

Name of the Vulnerable Software and Affected Versions exactyl versions after 025e8dbb0daaa04054276bda814d922cf4af58da through e28edb204e80efab628d1241198ea4f079779cfd

Description The software is a customizable game management panel and billing system. A flaw exists where server-side objects are injected into client-side JavaScript through the 'resources/views/templates/wrapper.blade.php' file. The use of unescaped json encode() without secure encoding flags allows string values to escape the JavaScript context and be interpreted as HTML or JavaScript by the browser. If serialized fields contain attacker-controlled content, such as a username, display name, or site configuration value, a malicious payload can execute arbitrary script for any user viewing the page, resulting in stored DOM-based Cross-Site Scripting (XSS).

Recommendations Update to a version after e28edb204e80efab628d1241198ea4f079779cfd.