CVE-2026-48788: Cross-Site Scripting and Content-Type Spoofing in Remark42 Image Proxy
Vulnerability ID: CVE-2026-48788
CVSS Score: 8.2
Published: 2026-06-26
A critical-severity Cross-Site Scripting (XSS) and Content-Type spoofing vulnerability in Remark42 (versions 1.6.0 through 1.15.0) allows remote attackers to execute arbitrary client-side script code via a crafted image proxy request.
TL;DR
Remark42 is vulnerable to an interpretation conflict where a malicious remote server spoofing a png content-type header can bypass download filters, forcing Remark42's image proxy to serve executable HTML payloads.
⚠️ Exploit Status: POC
Technical Details
- CWE ID: CWE-436, CWE-79
- Attack Vector: Network (AV:N)
- CVSS Score: 8.2 (High)
- EPSS Score: 0.00251
- Exploit Status: PoC
- CISA KEV Status: Not Listed
Affected Systems
- Remark42 Comment Engine
-
remark42: >= 1.6.0, < 1.16.0 (Fixed in:
1.16.0)
Code Analysis
Commit: 78d6de6
Add safety checks and security headers to rest api endpoints
Mitigation Strategies
- Upgrade to version 1.16.0 or higher
- Enforce X-Content-Type-Options: nosniff header on reverse proxies
- Disable the image proxy feature if not strictly required
Remediation Steps:
- Update the Remark42 container image to tag v1.16.0 or higher
- Clear any front-end CDN caches associated with /api/v1/img
- Verify the presence of X-Content-Type-Options headers in proxy responses
References
Read the full report for CVE-2026-48788 on our website for more details including interactive diagrams and full exploit analysis.
Top comments (0)