PatchSiren cyber security CVE debrief
CVE-2026-42224 Icinga CVE debrief
CVE-2026-42224 is a high-severity vulnerability in ipl/web, a set of common web components for PHP projects. An attacker can inject malicious JavaScript into a victim's browser, allowing it to run in the context of Icinga Web. The victim must visit a specifically prepared website, and may not immediately notice any wrongdoing. This issue has been patched in versions 0.13.1 and 0.10.3.
- Vendor
- Icinga
- Product
- ipl-web
- CVSS
- HIGH 7.6
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-08
- Original CVE updated
- 2026-06-09
- Advisory published
- 2026-05-08
- Advisory updated
- 2026-06-09
Who should care
Users of ipl/web versions prior to 0.13.1 or 0.10.3 should apply the patches to prevent exploitation.
Technical summary
The vulnerability has a CVSS score of 7.6 and is classified as HIGH. It requires the attacker to have high privileges and for the user to interact with the malicious website.
Defensive priority
High
Recommended defensive actions
- Apply patches: Upgrade to ipl/web version 0.13.1 or 0.10.3.
- Review website usage: Ensure that users are not visiting malicious websites.
Evidence notes
The CVE record and NVD detail can be found at [cve-org] and [nvd], respectively.
Official resources
CVE-2026-42224 was published on [cvePublishedAt] and modified on [cveModifiedAt].