Vulnerability Summary Vulnerability Title: There is a cross-site scripting (XSS) vulnerability in the RethinkDB database. Affected Versions: V2.4.3 (latest) Discovery Details Discovery Time: 2026-01-14 Discoverer: 59LAB () Proof of Concept (POC) The POC involves a specific URL and a payload to trigger the XSS vulnerability. The payload will not be triggered after successful creation. After clicking the delete button three times in a row, you can see that the JavaScript code is executed successfully. URL Example: POC Payload: Patch Solution To remediate this vulnerability, apply a defense-in-depth approach combining proper output encoding and stricter security policy enforcement. Specifically: Strict Output Encoding: All data returned from SQL query results and rendered in the web interface should be properly HTML-encoded based on its output context. Special characters such as , , , and must be safely escaped. Restrict Dangerous URI Schemes: Block or sanitize dangerous URI schemes like , , and . Content Security Policy (CSP): Strengthen the existing CSP to prevent script execution from non-trusted sources. Disallow specific URI schemes in relevant directives and enforce a strict default-src policy. Avoid Raw Data Rendering: Render SQL execution console output as plain text. If HTML rendering is required, use a robust HTML sanitizer to remove executable elements and attribute handlers.