cvedb.io
CVE-2026-33061
MEDIUM · CVSS 5.8
EPSS exploitation probability: 0%
Published 2026-03-20T08:16:12.090 · Last modified 2026-06-17T10:36:52.993

Summary

Jexactyl is a customisable game management panel and billing system. Commits after 025e8dbb0daaa04054276bda814d922cf4af58da and before e28edb204e80efab628d1241198ea4f079779cfd inject server-side objects into client-side JavaScript through resources/views/templates/wrapper.blade.php. Using unescaped {!! json_encode(...) !!} without safe encoding flags allows string values to break out of the JavaScript context and be interpreted as HTML/JS by the browser. If any serialized fields contain attacker-controlled content, such as a username, display name, or site config value, a malicious payload will execute arbitrary script for any user viewing the page (stored DOM XSS). This issue has been patched by commit e28edb204e80efab628d1241198ea4f079779cfd.

Affected products

jexactyl — jexactyl

Does this affect you?

Add your gear to cvedb and we'll alert you only when jexactyl ships something exploited.

Check my exposure →

References

This product uses data from the NVD API but is not endorsed or certified by the NVD. Informational only; not professional security advice.