HomeCVE Intelligence › CVE-2026-48788
CVSS 8.2 HIGH Vulnerability

CVE-2026-48788: Remark42: Cross-Site Scripting (XSS) on /api/v1/img via content-type spoofing

Summary The remark42 image proxy fetches an arbitrary remote URL and re-serves the response from remark42's own origin. The download path decides whether the fetched resource is an image by looking only at the Content-T…

8.2CVSS Score
HIGHSeverity
NOCISA KEV
VulnerabilityImpact Type

📋 Vulnerability Details

CVE IDCVE-2026-48788
Vendorgo
Affected Productgithub.com/umputun/remark42
Vulnerability TypeVulnerability
CVSS Score8.2 (HIGH)
Actively Exploited❌ No known exploitation
Patch StatusSee Vendor Advisory →
Reported ByCYBERDUDEBIVASH SENTINEL APEX Intelligence (via github_advisories)

🔬 Technical Analysis

#

Summary

• the serve path sniffs the body → emits Content-Type: text/html;
• the browser renders attacker HTML/JS as a document in remark42's origin.

The remark42 image proxy fetches an arbitrary remote URL and re-serves the response from remark42's own origin. The download path decides whether the fetched resource is an image by looking only at the Content-Type header the remote server claims — it never inspects the actual bytes. The serving path then derives the response Content-Type by sniffing those bytes with http.DetectContentType. An attacker hosts a URL that sets Content-Type to image/png but returns an HTML/JavaScript body: * the download check sees image/png → accepts it;

Details

#

Downloader backend/app/rest/proxy/image.godownloadImage(), lines 189

📚 Advisory References

⚡ DETECTION RULES AVAILABLE

Get CVE-2026-48788 Detection Pack

Sigma rules, YARA signatures, IOC table, and SIEM queries for Splunk, Elastic, Sentinel, and Chronicle — deployable in 5 minutes.

✓ Sigma Rules ✓ YARA Pack ✓ IOC Table ✓ SIEM Queries
🛡️ Get Detection Pack → 🔌 Access via API →

🔗 Related Intelligence