CVE-2026-41200

Name of the Vulnerable Software and Affected Versions STIG Manager versions 1.5.10 through 1.6.7

Description Reflected Cross-Site Scripting (XSS) occurs in the OIDC authentication error handling code within src/init.js and public/reauth.html. During the OIDC redirect flow, the error and error description query parameters returned by the OIDC provider are written directly to the DOM via innerHTML without HTML escaping. This allows an attacker to execute arbitrary JavaScript in the application origin context by convincing a user to follow a malicious redirect URL. If the user has an active session in another tab, the injected code can communicate with the SharedWorker managing the access token to perform authenticated API requests, such as reading and modifying collection data.

Recommendations Update to version 1.6.8.