Critical Vulnerability Information Vulnerability Type Fixed XSS in report section Version 3.28.0 Description Malicious Python code can be embedded in reports to execute arbitrary JavaScript in the user's browser. The issue occurs when the application allows users to store Python code in reports, which automatically executes when other users view them. The vulnerability stems from using Pyodide’s JavaScript bridge without any restrictions, enabling attackers to bypass the intended Python execution sandbox. Source - Taint Analysis 1. Source: The entry point is the API endpoint, which accepts user-provided Python code in the field via POST requests. 2. Data Flow: - The code is stored in the database without any sanitization. - Upon retrieval, the code is embedded into a React component. - The Markdown renderer interprets code blocks with the language tag. - These code blocks are passed to the Board component for execution. 3. Sink: Execution occurs in , where: - Pyodide loads and executes the Python code. - The Python code uses to execute arbitrary JavaScript. - No restrictions or checks are enforced on executable JavaScript. Proof of Concept 1. Create a malicious report: 2. Note the report ID returned in the response. 3. Access the report, and upon loading, the malicious JavaScript executes in the victim’s browser context, sending all report data to an attacker-controlled server. Impact Attackers can execute any JavaScript code in the victim’s browser. Steal authentication cookies and tokens. Access and exfiltrate sensitive information within the application. Make authenticated requests on behalf of the victim.