Stored XSS in HTML Report Generator

In May 2026, security researchers at Astra identified a stored Cross-Site Scripting (XSS) Vulnerability in HTML ReportGenerator, affecting versions up to 5.5.8.

Cross-Site Scripting(XSS) is a general web security vulnerability that allows threat actors to inject malicious scripts into a web application. This type of vulnerability is mostly exploited to perform actions on behalf of the victim or to mine cryptocurrency.

Technical Breakdown

The stored XSS vulnerability was discovered during a manual security review of the HTML report-generation functionality. This flaw is very dangerous in a development environment where HTML reports are frequently generated and opened by devs from CI/CD pipelines, shared folders, or local machines

How was it discovered?

Our researcher discovered this vulnerability while examining how user-controlled coverage metadata is processed and embedded into the reports. It was observed that values like class names and assembly names from XML inputs were directly inserted into JavaScript object literals inside the generated main.js file without proper JavaScript/JSON escaping.

Only backslashes were allowed to escape, while quotation marks and other JavaScript metacharacters remained unsanitized. By crafting a malicious coverage XML file with a specially formatted class name, it is possible to inject arbitrary JavaScript into the generated report.

How to replicate the vulnerability

1. Install a vulnerable version before 5.5.9(e.g., 5.5.8)
2. Create an XML file with the code below and name it malicious-coverage.xml

<?xml version="1.0" encoding="UTF-8"?>
<coverage line-rate="0" branch-rate="0" version="1.0">
  <packages>
    <package name="demo">
      <classes>
        <class
          name="\&quot;, &quot;x&quot;:(alert('XSS'),true), &quot;z&quot;: &quot;"
          filename="test.cs"
          line-rate="0"
          branch-rate="0">
          <methods/>
          <lines/>
        </class>
      </classes>
    </package>
  </packages>
</coverage>

3. Generate the report using this command.

dotnet ReportGenerator.dll \
-reports:poc.xml \
-targetdir:report \
-reporttypes:Html

4.  Trigger the XSS by opening the report.

Every fortnight our security engineers update DAST vulnerability scanner’s test cases. So we’re always one step ahead.

Get started at $7!

Impact of Stored XSS

The Stored XSS vulnerability in ReportGenerator (versions < 5.5.9) is quite severe because the payload is embedded directly into the generated HTML report. Once the report is generated, anyone who opens it in a browser becomes a victim. This can impact developers, CI/CD environments, shared coverage dashboards, and internally hosted reports.

Defacement: Modify the appearance and content of the page to show fake messages and offensive content.

Data Theft: Attackers can exfiltrate any data visible to the victim. It can be API keys, passwords, personal info, etc.

Account Hijacking: Threat actors can steal session cookies and hijack the victim’s account, allowing them to impersonate the victim to perform further malicious actions.

Privilege escalation: If an admin views the page, the attacker can gain administrative access to move laterally.

Phishing: Attackers can inject fake login forms or malicious links that look legitimate.

Malware: Once the stored XSS is triggered, threat actors can exploit the browser context to download and run malware (e.g., keyloggers, ransomware).

Current Status

The vulnerability in HTML render has been addressed in version 5.5.9, where proper sanitization and escaping measures have been implemented. The issue can be tracked under GitHub Advisory GHSA-mhh3-wmq6-w25q.