<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Ssh-Client - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/tags/ssh-client/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Fri, 03 Jul 2026 12:42:43 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/tags/ssh-client/feed.xml" rel="self" type="application/rss+xml"/><item><title>Wetty Client DOM XSS via Base64 Filename in File Download Escape Sequence (CVE-2026-49864)</title><link>https://feed.craftedsignal.io/briefs/2026-07-wetty-dom-xss/</link><pubDate>Fri, 03 Jul 2026 12:42:43 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2026-07-wetty-dom-xss/</guid><description>A high-severity DOM XSS vulnerability (CVE-2026-49864) in the wetty SSH client allows an attacker to achieve keystroke injection and command execution on the victim's SSH session by embedding a crafted base64-encoded filename within a terminal file-download escape sequence, which is then unescaped and rendered as raw HTML.</description><content:encoded><![CDATA[<p>A critical DOM-based Cross-Site Scripting (XSS) vulnerability, tracked as CVE-2026-49864, has been identified in the wetty web-based SSH client, affecting versions prior to 3.0.4. This flaw allows a remote attacker to execute arbitrary JavaScript within the victim's browser context, leading to keystroke injection and command execution within their active SSH session. The vulnerability stems from wetty's client-side handling of file-download escape sequences (<code>\x1b[5i...:...\x1b[4i</code>), where a base64-encoded filename within the sequence is directly base64-decoded and interpolated into an HTML <code>Toastify</code> notification with <code>escapeMarkup: false</code>. This allows an attacker to inject malicious HTML, including <code>&lt;script&gt;</code> tags or <code>onerror</code> event handlers, into the victim's browser. The exploitation occurs when the victim's terminal renders any output containing the specially crafted escape sequence, making it a significant threat to confidentiality and integrity of SSH sessions.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li><strong>Attacker gains control of SSH server output</strong>: The attacker compromises an SSH server that the victim uses with wetty, or is another user on a shared SSH host who can write to files/logs visible to the victim.</li>
<li><strong>Attacker crafts malicious escape sequence</strong>: The attacker prepares a base64-encoded HTML payload (e.g., <code>&lt;img src=x onerror=&quot;window.wetty_term.input(\&quot;cmd\\n\&quot;,true)&quot;&gt;</code>) and encodes it as the filename portion of a file-download escape sequence.</li>
<li><strong>Attacker delivers escape sequence to terminal output</strong>: The attacker uses a command like <code>printf '\x1b[5i%s:%s\x1b[4i' &quot;$FNAME_B64&quot; &quot;$DATA_B64&quot;</code> to emit the crafted escape sequence into the victim's SSH session output (e.g., by <code>cat</code>ting a file, tailing a log, or via MOTD).</li>
<li><strong>Victim's wetty client processes output</strong>: The wetty client receives the terminal output containing the escape sequence and passes it through its <code>FileDownloader.buffer</code>.</li>
<li><strong>Malicious filename is decoded and rendered</strong>: The <code>FileDownloader</code> identifies the complete escape sequence, base64-decodes the filename, and interpolates it unescaped into a <code>Toastify</code> notification, which renders the attacker-controlled HTML.</li>
<li><strong>XSS payload executes in victim's browser</strong>: The injected HTML (e.g., the <code>onerror</code> handler) executes, calling <code>window.wetty_term.input()</code> with attacker-chosen commands.</li>
<li><strong>Commands are typed into victim's SSH session</strong>: The <code>wetty_term.input()</code> method causes the attacker's commands to be sent to the SSH server as if the victim typed them, leading to execution (e.g., <code>id &gt; /tmp/pwned</code>).</li>
<li><strong>Information disclosure/further compromise</strong>: The attacker-injected commands execute on the SSH host, potentially leading to data exfiltration (e.g., <code>window.wetty_term.buffer.active</code> disclosure) or further system compromise.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>This vulnerability poses a severe risk to organizations using vulnerable wetty clients. If exploited, it grants the attacker significant control over the victim's SSH session. Impact includes compromise of confidentiality, as the attacker can read the victim's rendered terminal contents via <code>window.wetty_term.buffer.active</code>. Integrity is also compromised through the ability to type arbitrary attacker-chosen commands into the victim's SSH session via <code>window.wetty_term.input()</code>, effectively achieving remote command execution. Furthermore, it presents a critical authentication bypass, allowing an attacker who can control terminal output (e.g., a low-privileged user on a shared SSH host) to gain keystroke injection capabilities into a higher-privileged user's wetty session, escalating privileges or moving laterally within the environment.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Patch CVE-2026-49864 by upgrading the wetty client to version 3.0.4 or later immediately.</li>
<li>Deploy the Sigma rule provided in this brief to your SIEM to detect attempts to inject malicious escape sequences via <code>printf</code> or similar commands within SSH sessions.</li>
<li>Review SSH server command logging for unusual <code>printf</code> commands containing <code>\x1b[5i</code> and base64-encoded strings, as detected by the rule <code>Detect Wetty DOM XSS Payload Injection Attempt</code>.</li>
</ul>
]]></content:encoded><category domain="severity">high</category><category domain="type">advisory</category><category>xss</category><category>dom-xss</category><category>wetty</category><category>vulnerability</category><category>rce</category><category>ssh-client</category><category>client-side</category></item></channel></rss>