Wetty Client DOM XSS via Base64 Filename in File Download Escape Sequence (CVE-2026-49864)
A high-severity DOM XSS vulnerability (CVE-2026-49864) in the wetty SSH client allows an attacker to achieve keystroke injection and command execution on the victim's SSH session by embedding a crafted base64-encoded filename within a terminal file-download escape sequence, which is then unescaped and rendered as raw HTML.
A critical DOM-based Cross-Site Scripting (XSS) vulnerability, tracked as CVE-2026-49864, has been identified in the wetty web-based SSH client, affecting versions prior to 3.0.4. This flaw allows a remote attacker to execute arbitrary JavaScript within the victim's browser context, leading to keystroke injection and command execution within their active SSH session. The vulnerability stems from wetty's client-side handling of file-download escape sequences (\x1b[5i...:...\x1b[4i), where a base64-encoded filename within the sequence is directly base64-decoded and interpolated into an HTML Toastify notification with escapeMarkup: false. This allows an attacker to inject malicious HTML, including <script> tags or onerror event handlers, into the victim's browser. The exploitation occurs when the victim's terminal renders any output containing the specially crafted escape sequence, making it a significant threat to confidentiality and integrity of SSH sessions.
Attack Chain
- Attacker gains control of SSH server output: The attacker compromises an SSH server that the victim uses with wetty, or is another user on a shared SSH host who can write to files/logs visible to the victim.
- Attacker crafts malicious escape sequence: The attacker prepares a base64-encoded HTML payload (e.g.,
<img src=x onerror="window.wetty_term.input(\"cmd\\n\",true)">) and encodes it as the filename portion of a file-download escape sequence. - Attacker delivers escape sequence to terminal output: The attacker uses a command like
printf '\x1b[5i%s:%s\x1b[4i' "$FNAME_B64" "$DATA_B64"to emit the crafted escape sequence into the victim's SSH session output (e.g., bycatting a file, tailing a log, or via MOTD). - Victim's wetty client processes output: The wetty client receives the terminal output containing the escape sequence and passes it through its
FileDownloader.buffer. - Malicious filename is decoded and rendered: The
FileDownloaderidentifies the complete escape sequence, base64-decodes the filename, and interpolates it unescaped into aToastifynotification, which renders the attacker-controlled HTML. - XSS payload executes in victim's browser: The injected HTML (e.g., the
onerrorhandler) executes, callingwindow.wetty_term.input()with attacker-chosen commands. - Commands are typed into victim's SSH session: The
wetty_term.input()method causes the attacker's commands to be sent to the SSH server as if the victim typed them, leading to execution (e.g.,id > /tmp/pwned). - Information disclosure/further compromise: The attacker-injected commands execute on the SSH host, potentially leading to data exfiltration (e.g.,
window.wetty_term.buffer.activedisclosure) or further system compromise.
Impact
This vulnerability poses a severe risk to organizations using vulnerable wetty clients. If exploited, it grants the attacker significant control over the victim's SSH session. Impact includes compromise of confidentiality, as the attacker can read the victim's rendered terminal contents via window.wetty_term.buffer.active. Integrity is also compromised through the ability to type arbitrary attacker-chosen commands into the victim's SSH session via window.wetty_term.input(), effectively achieving remote command execution. Furthermore, it presents a critical authentication bypass, allowing an attacker who can control terminal output (e.g., a low-privileged user on a shared SSH host) to gain keystroke injection capabilities into a higher-privileged user's wetty session, escalating privileges or moving laterally within the environment.
Recommendation
- Patch CVE-2026-49864 by upgrading the wetty client to version 3.0.4 or later immediately.
- Deploy the Sigma rule provided in this brief to your SIEM to detect attempts to inject malicious escape sequences via
printfor similar commands within SSH sessions. - Review SSH server command logging for unusual
printfcommands containing\x1b[5iand base64-encoded strings, as detected by the ruleDetect Wetty DOM XSS Payload Injection Attempt.
Detection coverage 1
Detect Wetty DOM XSS Payload Injection Attempt
highDetects attempts to inject the wetty DOM XSS payload (CVE-2026-49864) by looking for specific `printf` commands that embed the file-download escape sequence with a base64-encoded filename.
Detection queries are available on the platform. Get full rules →