Analysis and contextual insights are available on OpenCVE Cloud.
No vendor fix or workaround currently provided.
Additional remediation guidance may be available on OpenCVE Cloud.
Tracking
Sign in to view the affected projects.
No advisories yet.
Fri, 29 May 2026 16:00:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| First Time appeared |
3clyp50
3clyp50 agent-zero |
|
| Vendors & Products |
3clyp50
3clyp50 agent-zero |
Wed, 27 May 2026 17:30:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Metrics |
ssvc
|
Wed, 27 May 2026 15:15:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Description | Agent Zero before version 1.15 contains a stored cross-site scripting vulnerability that allows attackers to execute arbitrary JavaScript in the application origin by serving SVG files through the image_get API endpoint without Content-Security-Policy, X-Content-Type-Options, or Content-Disposition headers. Attackers can place a crafted SVG file containing script tags in any path readable by the agent-zero process and lure an authenticated user to the image_get endpoint, causing the browser to execute the malicious script, steal the csrf_token cookie, and perform unauthorized API calls on behalf of the victim. | |
| Title | Agent Zero < 1.15 Stored XSS via image_get API Endpoint | |
| Weaknesses | CWE-79 | |
| References |
| |
| Metrics |
cvssV3_1
|
Status: PUBLISHED
Assigner: VulnCheck
Published:
Updated: 2026-05-27T16:13:49.786Z
Reserved: 2026-05-18T19:22:26.749Z
Link: CVE-2026-47119
Updated: 2026-05-27T16:12:46.627Z
Status : Deferred
Published: 2026-05-27T15:16:30.690
Modified: 2026-06-17T10:54:20.320
Link: CVE-2026-47119
No data.
OpenCVE Enrichment
Updated: 2026-05-29T15:50:41Z