XSS in Osc Ondemand

CVE-2026-44371

Open OnDemand is an open-source high-performance computing portal. Prior to 4.0.11, 4.1.5, and 4.2.2, specially crafted filenames can execute javascript in the file browser This vulnerability is fixed in 4.0.11, 4.1.5, and 4.2.2.

Vulnerability class: XSS (Cross-Site Scripting)

EPSS: 0.001 (19.5th percentile) — read the EPSS interpretation.

Affected products

Osc Ondemand — versions < 4.0.11, >= 4.1.0, < 4.1.5, >= 4.2.0, < 4.2.2

Weakness classification (CWE)

CWE-79 — Cross-site Scripting

References

security-advisories@github.com (x_refsource_CONFIRM)