CVE-2026-44541
published 2026-06-08CVE-2026-44541: Fides is an open-source privacy engineering platform. From version 2.33.0 to before version 2.84.5, there is a DOM-based XSS vulnerability in fides.js via the…
PriorityP339high7CVSS 4.0
AVNACLATPPRNUINVCNVINVANSCHSIHSANEXCRXIRXARXMAVXMACXMATXMPRXMUIXMVCXMVIXMVAXMSCXMSIXMSAXSXAUXRXVXREXUX
EPSS
0.30%
21.3th percentile
Fides is an open-source privacy engineering platform. From version 2.33.0 to before version 2.84.5, there is a DOM-based XSS vulnerability in fides.js via the fides_description override. This issue has been patched in version 2.84.5.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| ethyca | fides | — | — |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
VulDB
Ethyca Fides fides.js fides_description cross site scripting
vuldb·2026-05-15
CVE-2026-44541 [LOW] Ethyca Fides fides.js fides_description cross site scripting
A vulnerability classified as problematic has been found in Ethyca Fides. Affected by this vulnerability is an unknown functionality of the file fides.js. This manipulation of the argument fides_description causes cross site scripting.
This vulnerability is handled as CVE-2026-44541. The attack can be initiated remotely. There is not any exploit available.
GHSA
ethyca-fides has a DOM-based XSS vulnerability in fides.js via fides_description override
ghsa·2026-05-14
CVE-2026-44541 [HIGH] CWE-79 ethyca-fides has a DOM-based XSS vulnerability in fides.js via fides_description override
ethyca-fides has a DOM-based XSS vulnerability in fides.js via fides_description override
### Summary
`fides.js` is the script that renders Fides's consent banner on customer websites. It lets the embedding page override the banner's description text at runtime via a URL query parameter, a JavaScript global, or a cookie. On sites that have opted into HTML-formatted descriptions, the overridden value is rendered as live HTML without passing through the server-side sanitiser the rendering path was designed to trust.
The result is a DOM-based XSS that any visitor can trigger with a crafted link, no authentication required. The cookie source lets the payload persist, so a single click can plant a payload that fires on every subsequent banner render across all subdomains until cookies are cl
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2026-06-08
Published