CVE-2026-22674
MediumCVSS 4.8Exploitation Probability (EPSS)
Low risk7th percentile — higher than 7% of all known CVEs
Summary
Hashgraph Guardian up to version 3.6.0 contains a stored cross-site scripting (XSS) vulnerability that allows authenticated users with the STANDARD_REGISTRY role to inject malicious scripts by submitting a crafted companyName value via the branding configuration API.
Risk Assessment
Attackers can exploit this vulnerability to execute arbitrary JavaScript in the browsers of all authenticated users, potentially leading to data theft or session hijacking.
Recommendation
It is recommended to upgrade to version 3.6.1 or later to mitigate this vulnerability and to review and validate values submitted through the API to prevent script injections.
Original NVD description (English source)
Hashgraph Guardian through 3.6.0, fixed in commit ba8c566, contains a stored cross-site scripting vulnerability that allows authenticated users with the STANDARD_REGISTRY role to inject malicious scripts by submitting a crafted companyName value via the branding configuration API endpoint. Attackers can exploit the unsanitized innerHTML assignment in the branding service to execute arbitrary JavaScript in the browser of every authenticated user on every page load.

