GHSA-7qw2-f75v-62f7: Coder vulnerable to stored HTML injection via workspace agent logs in AgentLogLine component
Summary
Coder's AgentLogLine dashboard component failed to escape HTML characters before displaying workspace agent logs, allowing a workspace owner to inject arbitrary HTML that would render in other users' browsers when they viewed the workspace page. While a Content Security Policy blocked inline scripts, attackers could still inject redirects or CSS-based attacks.
Solution / Mitigation
The fix enables `escapeXML: true` in the `ansi-to-html` conversion so HTML metacharacters are escaped before being inserted into the page. Patched versions are available: v2.34.2, v2.33.8, v2.32.7, and v2.29.17 (ESR).
Vulnerability Details
EPSS: 0.0%
Yes
July 6, 2026
Classification
Taxonomy References
Affected Vendors
Affected Packages
Related Issues
Original source: https://github.com/advisories/GHSA-7qw2-f75v-62f7
First tracked: July 6, 2026 at 08:00 PM
Classified by LLM (prompt v3) · confidence: 75%