{"data":{"id":"2a0d57d5-421e-4235-95bb-517c8fc5a518","title":"GHSA-7qw2-f75v-62f7: Coder vulnerable to stored HTML injection via workspace agent logs in AgentLogLine component","summary":"Coder's AgentLogLine dashboard component failed to escape HTML characters before displaying workspace agent logs, allowing a workspace owner to inject arbitrary HTML that would render in other users' browsers when they viewed the workspace page. While a Content Security Policy blocked inline scripts, attackers could still inject redirects or CSS-based attacks.","solution":"The fix enables `escapeXML: true` in the `ansi-to-html` conversion so HTML metacharacters are escaped before being inserted into the page. Patched versions are available: v2.34.2, v2.33.8, v2.32.7, and v2.29.17 (ESR).","labels":["security"],"sourceUrl":"https://github.com/advisories/GHSA-7qw2-f75v-62f7","publishedAt":"2026-07-06T21:12:56.000Z","cveId":"CVE-2026-55437","cweIds":null,"cvssScore":null,"cvssSeverity":"medium","severity":"medium","attackType":["rag_poisoning"],"issueType":"vulnerability","affectedPackages":["github.com/coder/coder/v2@< 2.29.17 (fixed: 2.29.17)","github.com/coder/coder/v2@>= 2.30.0, < 2.32.7 (fixed: 2.32.7)","github.com/coder/coder/v2@>= 2.33.0, < 2.33.8 (fixed: 2.33.8)","github.com/coder/coder/v2@>= 2.34.0, < 2.34.2 (fixed: 2.34.2)"],"affectedVendors":[],"affectedVendorsRaw":["Coder","Anthropic"],"classifierModel":"claude-haiku-4-5-20251001","classifierPromptVersion":"v3","cvssVector":null,"attackVector":null,"attackComplexity":null,"privilegesRequired":null,"userInteraction":null,"exploitMaturity":"unknown","epssScore":0,"patchAvailable":true,"disclosureDate":"2026-07-06T21:12:56.000Z","capecIds":null,"crossRefCount":0,"attackSophistication":"moderate","impactType":["integrity"],"aiComponentTargeted":"agent","llmSpecific":false,"classifierConfidence":0.75,"researchCategory":null,"atlasIds":["AML.T0020","AML.T0051.001"]}}