CVE-2026-33061

CVE-2026-33061 is a medium-severity vulnerability in Jexactyl with a CVSS 3.x base score of 5.8. It is not currently listed as actively exploited by CISA, and its EPSS exploit-prediction score is low. The underlying weakness is classified as CWE-79.

Key facts

Description

Jexactyl is a customisable game management panel and billing system. Commits after 025e8dbb0daaa04054276bda814d922cf4af58da and before e28edb204e80efab628d1241198ea4f079779cfd inject server-side objects into client-side JavaScript through resources/views/templates/wrapper.blade.php. Using unescaped {!! json_encode(...) !!} without safe encoding flags allows string values to break out of the JavaScript context and be interpreted as HTML/JS by the browser. If any serialized fields contain attacker-controlled content, such as a username, display name, or site config value, a malicious payload will execute arbitrary script for any user viewing the page (stored DOM XSS). This issue has been patched by commit e28edb204e80efab628d1241198ea4f079779cfd.

Frequently asked questions

What is CVE-2026-33061?
Jexactyl is a customisable game management panel and billing system. Commits after 025e8dbb0daaa04054276bda814d922cf4af58da and before e28edb204e80efab628d1241198ea4f079779cfd inject server-side objects into client-side JavaScript through resources/views/templates/wrapper.blade.php. Using unescaped {!! json_encode(...) !!} without safe encoding flags allows string values to break out of the JavaScript context and be interpreted as HTML/JS by the browser. If any serialized fields contain attacker-controlled content, such as a username, display name, or site config value, a malicious payload will execute arbitrary script for any user viewing the page (stored DOM XSS). This issue has been patched by commit e28edb204e80efab628d1241198ea4f079779cfd.
How severe is CVE-2026-33061?
CVE-2026-33061 has a CVSS 3.x base score of 5.8, rated medium severity. It is exploitable over local access with low attack complexity, requires high privileges and user interaction. Impact on confidentiality is high, integrity high, and availability none.
Is CVE-2026-33061 being actively exploited?
It is not currently listed in CISA's KEV catalog. Its EPSS exploit-prediction score is 0% (6th percentile), an estimate of the probability of exploitation in the next 30 days.
What products are affected by CVE-2026-33061?
CVE-2026-33061 primarily affects Jexactyl. In total, 10 product configurations (CPEs) are listed as vulnerable; see the affected-products list for the exact versions.
How do I fix CVE-2026-33061?
Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround.
Does CVE-2026-33061 have an EU (EUVD) identifier?
Yes. CVE-2026-33061 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2026-13622.
When was CVE-2026-33061 published?
CVE-2026-33061 was published on 2026-03-20 and last updated on 2026-06-17.

References

Affected products (10)

Other CWE-79 (Cross-site Scripting (XSS)) vulnerabilities

Browse all CWE-79 (Cross-site Scripting (XSS)) vulnerabilities →