CVE-2026-40028

low-risk

Published 2026-04-08

Hayabusa versions prior to 3.8.0 contain a cross-site scripting (XSS) vulnerability in its HTML report output that allows an attacker to execute arbitrary JavaScript when a user scans JSON-exported logs containing malicious content in the Computer field. An attacker can inject JavaScript into the Computer field of JSON logs that executes in the forensic examiner's browser session when viewing the generated HTML report, leading to information disclosure or code execution.

Do I need to act?

0.03% chance of exploitation

EPSS score — low exploit probability

Not on CISA KEV list

No confirmed active exploitation reported to CISA

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 5.4/10 Medium

NETWORK / LOW complexity

Affected Products (1)

Hayabusa

Affected Vendors

Yamato-Security

References (3)

Release Notes https://github.com/Yamato-Security/hayabusa/releases/tag/v3.8.0

Third Party Advisory https://mobasi.ai/sentinel

Third Party Advisory https://www.vulncheck.com/advisories/hayabusa-xss-via-json-log-import

/ 100

low-risk

Severity 21/34 · High

Exploitability 0/34 · Minimal

Exposure 5/34 · Minimal