Analysis and contextual insights are available on OpenCVE Cloud.
No vendor fix or workaround currently provided.
Additional remediation guidance may be available on OpenCVE Cloud.
Tracking
Sign in to view the affected projects.
| Source | ID | Title |
|---|---|---|
Github GHSA |
GHSA-7qw2-f75v-62f7 | Coder vulnerable to stored HTML injection via workspace agent logs in AgentLogLine component |
Fri, 10 Jul 2026 03:30:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Metrics |
ssvc
|
Wed, 08 Jul 2026 02:45:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| First Time appeared |
Coder
Coder coder |
|
| Vendors & Products |
Coder
Coder coder |
Wed, 08 Jul 2026 01:00:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Description | Coder allows organizations to provision remote development environments via Terraform. Prior to versions 2.29.17, 2.32.7, 2.33.8, and 2.34.2, the `AgentLogLine` dashboard component instantiated `ansi-to-html` without `escapeXML: true` and inserted the result via `dangerouslySetInnerHTML` so HTML embedded in workspace agent log lines was rendered as live markup. Server-side sanitization did not neutralize HTML metacharacters. Exploitation requires a victim to view attacker-controlled agent logs in the dashboard. The fix in versions 2.29.17, 2.32.7, 2.33.8, and 2.34.2 enables `escapeXML: true` so HTML metacharacters are escaped before DOM insertion. No known workarounds are available. | |
| Title | Coder vulnerable to stored HTML injection via workspace agent logs in AgentLogLine component | |
| Weaknesses | CWE-79 | |
| References |
|
|
| Metrics |
cvssV3_1
|
Status: PUBLISHED
Assigner: GitHub_M
Published:
Updated: 2026-07-08T14:00:43.204Z
Reserved: 2026-06-16T21:59:57.017Z
Link: CVE-2026-55437
Updated: 2026-07-08T14:00:38.697Z
No data.
No data.
OpenCVE Enrichment
Updated: 2026-07-16T22:30:06Z
Github GHSA