CVE-2024-26362 – An HTML injection vulnerability in Enpass Passw... (How to Fix)

Q: What is the severity of CVE-2024-26362?

CVE-2024-26362 has a CVSS score of 8.8 (HIGH). An HTML injection vulnerability in Enpass Password Manager Desktop Client allows attackers to execute arbitrary HTML code by creating specially crafted notes. This affects users of Enpass 6.9.2 on Windows and Linux systems. The vulnerability could lead to credential theft or malware execution.

📋 TL;DR

An HTML injection vulnerability in Enpass Password Manager Desktop Client allows attackers to execute arbitrary HTML code by creating specially crafted notes. This affects users of Enpass 6.9.2 on Windows and Linux systems. The vulnerability could lead to credential theft or malware execution.

💻 Affected Systems

Products:

Enpass Password Manager Desktop Client

Versions: 6.9.2

Operating Systems: Windows, Linux

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects desktop clients; mobile versions and other platforms not mentioned in CVE.

📦 What is this software?

Password Manager by Enpass

View all CVEs affecting Password Manager →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of password vault, credential theft, malware installation, and lateral movement within the network.

🟠

Likely Case

Credential theft from the password manager, session hijacking, and potential access to other accounts.

🟢

If Mitigated

Limited impact if proper network segmentation and endpoint protection are in place, though local data remains at risk.

🌐 Internet-Facing: LOW (requires local access or social engineering to trigger the crafted note)

🏢 Internal Only: HIGH (malicious insider or compromised internal user could exploit this to steal credentials)

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires creating a crafted note, which typically needs some level of access to the application.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Check Enpass official channels for updated version (likely 6.9.3 or higher)

Vendor Advisory: Not provided in CVE; check Enpass website or security advisories.

Restart Required: Yes

Instructions:

1. Open Enpass application
2. Go to Settings > About
3. Check for updates and install if available
4. Restart Enpass after update

🔧 Temporary Workarounds

Disable note creation

all

Prevent users from creating new notes in Enpass to block the attack vector.

Not applicable via command line; configure through Enpass settings if available.

Use read-only mode

all

Operate Enpass in read-only mode to prevent modification of notes.

Not applicable via command line; set through application preferences.

🧯 If You Can't Patch

Restrict access to Enpass application to trusted users only.
Implement application whitelisting to prevent unauthorized execution of HTML payloads.

🔍 How to Verify

Check if Vulnerable:

Check Enpass version in Settings > About; if version is 6.9.2, it is vulnerable.

Check Version:

Not applicable via command line; check within Enpass GUI.

Verify Fix Applied:

Update to latest version and verify version number is higher than 6.9.2.

📡 Detection & Monitoring

Log Indicators:

Unusual note creation events in Enpass logs
HTML or script tags in note content logs

Network Indicators:

Outbound connections from Enpass to unexpected domains

SIEM Query:

Not applicable; primarily local application exploit.

📊 Metadata

CVE ID: CVE-2024-26362

CVSS v3 Score: 8.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CWE: CWE-94

Published: April 10, 2024

Last Updated: June 17, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-26362, you might also want to check these: