{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/wetty--3.0.4/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["wetty (\u003c 3.0.4)"],"_cs_severities":["high"],"_cs_tags":["xss","dom-xss","wetty","vulnerability","rce","ssh-client","client-side"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eA critical DOM-based Cross-Site Scripting (XSS) vulnerability, tracked as CVE-2026-49864, has been identified in the wetty web-based SSH client, affecting versions prior to 3.0.4. This flaw allows a remote attacker to execute arbitrary JavaScript within the victim's browser context, leading to keystroke injection and command execution within their active SSH session. The vulnerability stems from wetty's client-side handling of file-download escape sequences (\u003ccode\u003e\\x1b[5i...:...\\x1b[4i\u003c/code\u003e), where a base64-encoded filename within the sequence is directly base64-decoded and interpolated into an HTML \u003ccode\u003eToastify\u003c/code\u003e notification with \u003ccode\u003eescapeMarkup: false\u003c/code\u003e. This allows an attacker to inject malicious HTML, including \u003ccode\u003e\u0026lt;script\u0026gt;\u003c/code\u003e tags or \u003ccode\u003eonerror\u003c/code\u003e event handlers, into the victim's browser. The exploitation occurs when the victim's terminal renders any output containing the specially crafted escape sequence, making it a significant threat to confidentiality and integrity of SSH sessions.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003eAttacker gains control of SSH server output\u003c/strong\u003e: The attacker compromises an SSH server that the victim uses with wetty, or is another user on a shared SSH host who can write to files/logs visible to the victim.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eAttacker crafts malicious escape sequence\u003c/strong\u003e: The attacker prepares a base64-encoded HTML payload (e.g., \u003ccode\u003e\u0026lt;img src=x onerror=\u0026quot;window.wetty_term.input(\\\u0026quot;cmd\\\\n\\\u0026quot;,true)\u0026quot;\u0026gt;\u003c/code\u003e) and encodes it as the filename portion of a file-download escape sequence.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eAttacker delivers escape sequence to terminal output\u003c/strong\u003e: The attacker uses a command like \u003ccode\u003eprintf '\\x1b[5i%s:%s\\x1b[4i' \u0026quot;$FNAME_B64\u0026quot; \u0026quot;$DATA_B64\u0026quot;\u003c/code\u003e to emit the crafted escape sequence into the victim's SSH session output (e.g., by \u003ccode\u003ecat\u003c/code\u003eting a file, tailing a log, or via MOTD).\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eVictim's wetty client processes output\u003c/strong\u003e: The wetty client receives the terminal output containing the escape sequence and passes it through its \u003ccode\u003eFileDownloader.buffer\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eMalicious filename is decoded and rendered\u003c/strong\u003e: The \u003ccode\u003eFileDownloader\u003c/code\u003e identifies the complete escape sequence, base64-decodes the filename, and interpolates it unescaped into a \u003ccode\u003eToastify\u003c/code\u003e notification, which renders the attacker-controlled HTML.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eXSS payload executes in victim's browser\u003c/strong\u003e: The injected HTML (e.g., the \u003ccode\u003eonerror\u003c/code\u003e handler) executes, calling \u003ccode\u003ewindow.wetty_term.input()\u003c/code\u003e with attacker-chosen commands.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eCommands are typed into victim's SSH session\u003c/strong\u003e: The \u003ccode\u003ewetty_term.input()\u003c/code\u003e method causes the attacker's commands to be sent to the SSH server as if the victim typed them, leading to execution (e.g., \u003ccode\u003eid \u0026gt; /tmp/pwned\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eInformation disclosure/further compromise\u003c/strong\u003e: The attacker-injected commands execute on the SSH host, potentially leading to data exfiltration (e.g., \u003ccode\u003ewindow.wetty_term.buffer.active\u003c/code\u003e disclosure) or further system compromise.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThis vulnerability poses a severe risk to organizations using vulnerable wetty clients. If exploited, it grants the attacker significant control over the victim's SSH session. Impact includes compromise of confidentiality, as the attacker can read the victim's rendered terminal contents via \u003ccode\u003ewindow.wetty_term.buffer.active\u003c/code\u003e. Integrity is also compromised through the ability to type arbitrary attacker-chosen commands into the victim's SSH session via \u003ccode\u003ewindow.wetty_term.input()\u003c/code\u003e, effectively achieving remote command execution. Furthermore, it presents a critical authentication bypass, allowing an attacker who can control terminal output (e.g., a low-privileged user on a shared SSH host) to gain keystroke injection capabilities into a higher-privileged user's wetty session, escalating privileges or moving laterally within the environment.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003ePatch CVE-2026-49864 by upgrading the wetty client to version 3.0.4 or later immediately.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule provided in this brief to your SIEM to detect attempts to inject malicious escape sequences via \u003ccode\u003eprintf\u003c/code\u003e or similar commands within SSH sessions.\u003c/li\u003e\n\u003cli\u003eReview SSH server command logging for unusual \u003ccode\u003eprintf\u003c/code\u003e commands containing \u003ccode\u003e\\x1b[5i\u003c/code\u003e and base64-encoded strings, as detected by the rule \u003ccode\u003eDetect Wetty DOM XSS Payload Injection Attempt\u003c/code\u003e.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-07-03T12:42:43Z","date_published":"2026-07-03T12:42:43Z","id":"https://feed.craftedsignal.io/briefs/2026-07-wetty-dom-xss/","summary":"A high-severity DOM XSS vulnerability (CVE-2026-49864) in the wetty SSH client allows an attacker to achieve keystroke injection and command execution on the victim's SSH session by embedding a crafted base64-encoded filename within a terminal file-download escape sequence, which is then unescaped and rendered as raw HTML.","title":"Wetty Client DOM XSS via Base64 Filename in File Download Escape Sequence (CVE-2026-49864)","url":"https://feed.craftedsignal.io/briefs/2026-07-wetty-dom-xss/"}],"language":"en","title":"CraftedSignal Threat Feed - Wetty (\u003c 3.0.4)","version":"https://jsonfeed.org/version/1.1"}