PT-2026-38270 · Flight · Flight
Published
2026-05-06
·
Updated
2026-05-13
·
CVE-2026-42548
CVSS v4.0
8.6
High
| Vector | AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X |
Name of the Vulnerable Software and Affected Versions
Flight versions prior to 3.18.1
Description
The
Flight::jsonp() function concatenates the jsonp query parameter directly into an application/javascript response body without validating if the value is a legal JavaScript identifier. This allows an attacker to inject arbitrary JavaScript that executes in the response origin, leading to reflected cross-site scripting (XSS), which can result in cookie theft, session hijacking, or exfiltration of authenticated API responses.Recommendations
Update to version 3.18.1.
Exploit
Fix
XSS
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Flight