## https://sploitus.com/exploit?id=80E71DD5-F2F7-5982-884E-6D11EECF3ECD
# CVE-2026-37196 – Stored Cross-Site Scripting (XSS) in nirix traq v3.9.0
## Overview
A **Stored Cross-Site Scripting (XSS)** vulnerability exists in **nirix traq v3.9.0**, where user-supplied input in the **ticket description field** is improperly sanitized before being rendered in the application interface.
This vulnerability allows an authenticated attacker to inject malicious JavaScript payloads into a ticket description. The payload is stored by the application and executed when another user, including privileged users such as administrators, views the affected ticket timeline or rendering component.
* **CVE ID:** CVE-2026-37196
* **Vulnerability Type:** Stored Cross-Site Scripting (CWE-79)
* **Vendor:** nirix
* **Product:** traq
* **Affected Version:** 3.9.0
* **Attack Type:** Remote
* **Severity:** High
* **Researcher:** Pavan V
---
## Vulnerability Summary
The issue occurs because user-controlled HTML/JavaScript input is rendered without proper output encoding or sanitization.
An authenticated attacker can create or modify a ticket and insert a malicious payload into the **description field**. When another user views the affected ticket, the injected script executes in the victim’s browser context.
This can lead to:
* Arbitrary JavaScript execution
* Session hijacking
* Unauthorized actions on behalf of victims
* Theft of sensitive information
* Privilege escalation in certain scenarios
---
## Affected Component
**Ticket Description Field / Timeline Rendering Component**
The vulnerability is triggered when ticket descriptions containing malicious HTML or JavaScript are rendered in the application interface without sufficient escaping.
---
## Proof of Concept (PoC)
### Example Payload
```html
```
### Reproduction Steps
1. Log in to a traq v3.9.0 instance with a valid user account.
2. Navigate to the ticket creation functionality.
3. Create a new ticket.
4. Insert a malicious payload into the **description field**.
Example:
```html
```
5. Save the ticket.
6. Open or preview the ticket from another user account or privileged account.
7. Observe that the JavaScript payload executes automatically when the description is rendered.
---
## Security Impact
Successful exploitation may allow attackers to:
* Execute arbitrary JavaScript in victim browsers
* Access authenticated session information
* Perform actions as the affected user
* Manipulate ticket content
* Potentially target administrators for privilege abuse
---
## Root Cause
The application fails to properly sanitize or encode user-controlled input before rendering ticket descriptions in the browser.
User input is stored and later rendered without sufficient protection against HTML/JavaScript injection.
---
## Mitigation
The following mitigations are recommended:
* Properly sanitize user-controlled HTML content
* Apply contextual output encoding
* Use an allowlist-based HTML sanitizer
* Deploy a strong Content Security Policy (CSP)
* Avoid rendering raw HTML from user-controlled input
---
## Timeline
| Event | Date |
| ------------------------ | ---------------------- |
| Vulnerability Discovered | 2026 |
| Vendor Notification | Responsible Disclosure |
| CVE Assigned | CVE-2026-37196 |
| Public Disclosure | 2026 |
---
## Disclaimer
This repository is published for **security research and defensive awareness purposes only**. The information provided is intended to help developers and defenders understand and remediate the issue.
---
## Credits
**Discovered by:**
Pavan V