CVE Catalog

CVE-2026-48518

MediumCVSS 4.3
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.17%

7th percentile - higher than 7% of all known CVEs

Summary

MultiJuicer versions 8.0.0 through 10.0.0 have a vulnerability in the team join endpoint that accepts requests with any Content-Type, including text/plain. This allows attackers to embed an HTML form that auto-submits to the endpoint, enabling identity takeover of the victim.

Risk Assessment

An attacker can exploit this vulnerability to manipulate scores in a CTF context and capture sensitive data entered by victims. The lack of prior authentication increases the risk for organizations.

Recommendation

It is recommended to update MultiJuicer to version 10.0.1 to mitigate this vulnerability. Additionally, consider implementing further security measures such as content type validation.

Original NVD description (English source)

MultiJuicer is used to run separate Juice Shop instances on a central kubernetes cluster without the need for local instances. In versions 8.0.0 through 10.0.0, the team join endpoint (POST /multi-juicer/api/teams/{team}/join) accepted requests with any Content-Type, including text/plain. Because that content type does not trigger a CORS preflight, an attacker could host a cross-site HTML form that auto-submits to the endpoint and forces a victim's browser to log in as the attacker's team. A successful, undetected attacker can cause victims to unwittingly solve Juice Shop challenges under the attacker's team identity. In a CTF context this lets the attacker inflate their team's score using other players' activity, and any sensitive data the victim enters into "their" Juice Shop ends up in the attacker's instance. The vulnerability is exploitable without any prior authentication; the victim only needs to visit a page the attacker controls while having network access to the MultiJuicer deployment. SameSite=Strict on the session cookie does not mitigate this, because the attack plants a new cookie rather than relying on an existing one. This issue was fixed in version 10.0.1.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS