{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-40028", "assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "state": "PUBLISHED", "assignerShortName": "VulnCheck", "dateReserved": "2026-04-08T13:36:47.863Z", "datePublished": "2026-04-08T21:35:24.001Z", "dateUpdated": "2026-04-11T03:04:53.201Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "shortName": "VulnCheck", "dateUpdated": "2026-04-08T21:35:24.001Z"}, "title": "Hayabusa < 3.8.0 XSS via JSON Log Import", "descriptions": [{"lang": "en", "value": "Hayabusa versions prior to 3.8.0 contain a cross-site scripting (XSS) vulnerability in its HTML report output that allows an attacker to execute arbitrary JavaScript when a user scans JSON-exported logs containing malicious content in the Computer field. An attacker can inject JavaScript into the Computer field of JSON logs that executes in the forensic examiner's browser session when viewing the generated HTML report, leading to information disclosure or code execution."}], "tags": ["x_open-source"], "datePublic": "2026-02-01T00:00:00.000Z", "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "type": "CWE"}]}], "affected": [{"vendor": "Yamato-Security", "product": "hayabusa", "defaultStatus": "unaffected", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "3.7.0", "versionType": "semver"}, {"version": "3.8.0", "status": "unaffected", "versionType": "semver"}]}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "PASSIVE", "vulnConfidentialityImpact": "NONE", "subConfidentialityImpact": "LOW", "vulnIntegrityImpact": "NONE", "subIntegrityImpact": "LOW", "vulnAvailabilityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "version": "4.0", "baseSeverity": "MEDIUM", "baseScore": 5.1, "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N"}}, {"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV3_1": {"attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE", "version": "3.1", "baseSeverity": "MEDIUM", "baseScore": 5.4, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"}}], "references": [{"url": "https://github.com/Yamato-Security/hayabusa/releases/tag/v3.8.0", "name": "Release Notes", "tags": ["product"]}, {"url": "https://mobasi.ai/sentinel", "name": "Mobasi Sentinel Vulnerability Index", "tags": ["vendor-advisory"]}, {"name": "VulnCheck Advisory: Hayabusa < 3.8.0 XSS via JSON Log Import", "tags": ["third-party-advisory"], "url": "https://www.vulncheck.com/advisories/hayabusa-xss-via-json-log-import"}], "credits": [{"lang": "en", "value": "Mobasi Security Team", "type": "finder"}], "x_generator": {"engine": "vulncheck"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-11T03:04:41.257641Z", "id": "CVE-2026-40028", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-11T03:04:53.201Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-40028", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-11T03:04:41.257641Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-11T03:04:48.535Z"}}], "cna": {"tags": ["x_open-source"], "title": "Hayabusa < 3.8.0 XSS via JSON Log Import", "credits": [{"lang": "en", "type": "finder", "value": "Mobasi Security Team"}], "metrics": [{"format": "CVSS", "cvssV4_0": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 5.1, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "PASSIVE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "subIntegrityImpact": "LOW", "vulnIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "LOW", "vulnConfidentialityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}, {"format": "CVSS", "cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 5.4, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Yamato-Security", "product": "hayabusa", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "3.7.0"}, {"status": "unaffected", "version": "3.8.0", "versionType": "semver"}], "defaultStatus": "unaffected"}], "datePublic": "2026-02-01T00:00:00.000Z", "references": [{"url": "https://github.com/Yamato-Security/hayabusa/releases/tag/v3.8.0", "name": "Release Notes", "tags": ["product"]}, {"url": "https://mobasi.ai/sentinel", "name": "Mobasi Sentinel Vulnerability Index", "tags": ["vendor-advisory"]}, {"url": "https://www.vulncheck.com/advisories/hayabusa-xss-via-json-log-import", "name": "VulnCheck Advisory: Hayabusa < 3.8.0 XSS via JSON Log Import", "tags": ["third-party-advisory"]}], "x_generator": {"engine": "vulncheck"}, "descriptions": [{"lang": "en", "value": "Hayabusa versions prior to 3.8.0 contain a cross-site scripting (XSS) vulnerability in its HTML report output that allows an attacker to execute arbitrary JavaScript when a user scans JSON-exported logs containing malicious content in the Computer field. An attacker can inject JavaScript into the Computer field of JSON logs that executes in the forensic examiner's browser session when viewing the generated HTML report, leading to information disclosure or code execution."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "shortName": "VulnCheck", "dateUpdated": "2026-04-08T21:35:24.001Z"}}}, "cveMetadata": {"cveId": "CVE-2026-40028", "state": "PUBLISHED", "dateUpdated": "2026-04-11T03:04:53.201Z", "dateReserved": "2026-04-08T13:36:47.863Z", "assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "datePublished": "2026-04-08T21:35:24.001Z", "assignerShortName": "VulnCheck"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:yamato-security:hayabusa:*:*:*:*:*:*:*:*", "matchCriteriaId": "CFE7B4B2-9683-43D3-9D32-CB6450E122B7", "versionEndExcluding": "3.8.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Hayabusa versions prior to 3.8.0 contain a cross-site scripting (XSS) vulnerability in its HTML report output that allows an attacker to execute arbitrary JavaScript when a user scans JSON-exported logs containing malicious content in the Computer field. An attacker can inject JavaScript into the Computer field of JSON logs that executes in the forensic examiner's browser session when viewing the generated HTML report, leading to information disclosure or code execution."}], "id": "CVE-2026-40028", "lastModified": "2026-04-17T16:17:48.223", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.3, "impactScore": 2.7, "source": "disclosure@vulncheck.com", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 5.1, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "LOW", "subIntegrityImpact": "LOW", "userInteraction": "PASSIVE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "disclosure@vulncheck.com", "type": "Secondary"}]}, "published": "2026-04-08T22:16:23.137", "references": [{"source": "disclosure@vulncheck.com", "tags": ["Release Notes"], "url": "https://github.com/Yamato-Security/hayabusa/releases/tag/v3.8.0"}, {"source": "disclosure@vulncheck.com", "tags": ["Third Party Advisory"], "url": "https://mobasi.ai/sentinel"}, {"source": "disclosure@vulncheck.com", "tags": ["Third Party Advisory"], "url": "https://www.vulncheck.com/advisories/hayabusa-xss-via-json-log-import"}], "sourceIdentifier": "disclosure@vulncheck.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "disclosure@vulncheck.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,3.7.0]"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[3.8.0,3.8.0]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "hayabusa", "source": "cna", "vendor": "Yamato-Security"}, "product": "hayabusa", "vendor": "yamato-security"}], "analysis": {"en": {"generated_at": "2026-04-08T22:23:52.136794+00:00", "value": {"mitigation_remediation": ["Update Hayabusa to version 3.8.0 or later, which removes the XSS entry point.", "If immediate updating is not possible, limit JSON log import privileges to trusted users only and apply client\u2011side validation to cleanse the Computer field.", "Disable the HTML report generation feature until the product is patched, preventing exploitation via the report.", "Continuously monitor for XSS injection attempts in logged data and review browser console for unexpected script execution."], "summary": {"action": "Immediate Patch", "impact": "Cross\u2011Site Scripting"}, "threat_synthesis": {"affected_systems": "The affected product is Hayabusa, released by Yamato\u2011Security. All versions lower than 3.8.0 are vulnerable; any installation that has not upgraded to at least 3.8.0 is at risk. ", "description_and_impact": "Hayabusa versions older than 3.8.0 contain an XSS flaw in the HTML report that enables an attacker to inject malicious JavaScript into the Computer field of JSON\u2011exported logs. When a forensic examiner views the generated report, the injected script runs in the browser, potentially disclosing sensitive data or performing unauthorized actions. The vulnerability is classified as CWE\u201179 and is a classic reflected XSS scenario. ", "risk_and_exploitability": "The CVSS score of 5.1 indicates moderate severity; the exploit probability score is unavailable and it is not listed in the CISA KEV catalog. The attack vector is inferred to be through the web interface where users load and view JSON logs\u2014an attacker must supply a crafted log file, and the victim must open the resulting HTML report. Attack requires user interaction but poses a real risk of data disclosure or session hijacking for the examiner. "}}}}, "created": "2026-04-09T08:16:28.555597+00:00", "updated": "2026-04-09T08:25:54.515469+00:00", "vendors": ["yamato-security", "yamato-security$PRODUCT$hayabusa"]}