PatchSiren cyber security CVE debrief
CVE-2026-55437 coder CVE debrief
CVE-2026-55437: Coder allows organizations to provision remote development environments via Terraform. Prior to versions 2.29.17, 2.32.7, 2.33.8, and 2.34.2, the `AgentLogLine` dashboard component instantiated `ansi-to-html` without `escapeXML: true` and inserted the result via `dangerouslySetInnerHTML` so HTML embedded in workspace agent log lines was rendered as live markup. Server-side sanitization did not neutralize HTML metacharacters. Exploitation requires a victim to view attacker-controlled agent logs in the dashboard.
- Vendor
- coder
- Product
- Unknown
- CVSS
- MEDIUM 5.4
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-07-08
- Original CVE updated
- 2026-07-08
- Advisory published
- 2026-07-08
- Advisory updated
- 2026-07-08
Who should care
Users of Coder versions prior to 2.29.17, 2.32.7, 2.33.8, and 2.34.2 who provision remote development environments via Terraform and rely on the dashboard for monitoring workspace agent logs. Affected operators should review logs and restrict dashboard access.
Technical summary
The `AgentLogLine` dashboard component in Coder instantiated `ansi-to-html` without proper escaping, allowing HTML embedded in workspace agent log lines to be rendered as live markup. This vulnerability requires a victim to view attacker-controlled agent logs in the dashboard to be exploited. The fix enables `escapeXML: true` to escape HTML metacharacters before DOM insertion. Affected users should review logs for suspicious activity and restrict dashboard access.
Defensive priority
Medium priority due to the requirement for user interaction and the limited scope of exploitation.
Recommended defensive actions
- Upgrade to Coder versions 2.29.17, 2.32.7, 2.33.8, or 2.34.2 or later
- Review and monitor workspace agent logs for suspicious activity
- Restrict access to the dashboard to authorized users only
- Confirm whether affected product deployments exist in managed environments and assign an owner for follow-up
- Review the supplied official advisory or CVE record to validate affected scope, severity, and vendor guidance
- Plan vendor-supported updates or mitigations through normal change control where exposure is confirmed
- Check relevant monitoring, detection, and logs for exposed assets that need extra review
Evidence notes
The CVE record was published on 2026-07-08T01:16:28.020Z and has not been modified since then. The NVD entry is currently 5.4 MEDIUM. Limited details are available about the vulnerability, and no workarounds are provided. The fix in versions 2.29.17, 2.32.7, 2.33.8, and 2.34.2 enables `escapeXML: true` so HTML metacharacters are escaped before DOM insertion.
Official resources
AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-08T01:16:28.020Z and has not been modified since then.