CVE-2026-5301

High

Published: 08 April 2026

Published

08 April 2026

Modified

16 April 2026

KEV Added

—

Patch

—

CVSS Score 7.6 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:L

EPSS Score 0.0004 12.4th percentile

Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-5301 is a high-severity Cross-site Scripting (CWE-79) vulnerability in Coolercontrol Coolercontrold. Its CVSS base score is 7.6 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 12.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-15 Information Output Filtering good match

prevent

Information Output Filtering directly prevents stored XSS execution by sanitizing or encoding log entries before rendering them in the log viewer.

SI-10 Information Input Validation good match

prevent

Information Input Validation blocks unauthenticated injection of malicious JavaScript into log entries at the point of submission.

SI-2 Flaw Remediation good match

prevent

Flaw Remediation mandates upgrading to coolercontrol-ui version 4.0.0 or later, which patches the vulnerable code in AppInfoView.vue.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1059.007 JavaScript Execution

Adversaries may abuse various implementations of JavaScript for execution.

attack.mitre.org →

Why these techniques?

The stored XSS vulnerability in the public-facing web UI (coolercontrol-ui) allows unauthenticated injection of malicious JavaScript into logs, which executes in the authenticated user's browser upon viewing the log viewer. This directly maps to exploitation of public-facing applications (T1190) and use of JavaScript as a command/scripting interpreter for execution (T1059.007).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

Stored XSS in log viewer in CoolerControl/coolercontrol-ui <4.0.0 allows unauthenticated attackers to take over the service via malicious JavaScript in poisoned log entries

Deeper analysisAI

CVE-2026-5301 is a stored cross-site scripting (XSS) vulnerability, classified under CWE-79, in the log viewer component of CoolerControl's coolercontrol-ui software. It affects versions prior to 4.0.0 and was published on 2026-04-08. The issue carries a CVSS v3.1 base score of 7.6 (AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:L), indicating network accessibility with low attack complexity but requiring user interaction.

Unauthenticated attackers can exploit the vulnerability by injecting malicious JavaScript into log entries, poisoning them for storage. When an authenticated user accesses the log viewer, the script executes in the browser context, enabling attackers to take over the service, with potential impacts including low confidentiality loss, high integrity compromise, and low availability disruption.

Mitigation is addressed in the coolercontrol-ui version 4.0.0 release, as evidenced by GitLab repository changes; vulnerable code appears at line 224 in the 2.0.0 tag and line 350 in the 3.1.1 tag of AppInfoView.vue. Security practitioners should upgrade to version 4.0.0 or later to remediate the issue.