CVE-2026-1520 is a cross-site scripting (XSS) vulnerability identified in rethinkdb versions 2.4.0 through 2.4.3. The flaw exists in the Secondary Index Handler component, where improper input sanitization allows an attacker to inject malicious scripts. This vulnerability can be exploited remotely without authentication, but it requires user interaction to trigger the malicious payload, such as a victim clicking a crafted link or visiting a malicious page that interacts with the vulnerable rethinkdb interface. The vulnerability could enable attackers to execute arbitrary JavaScript in the context of the victim’s browser, potentially leading to session hijacking, theft of sensitive data, or other malicious actions within the scope of the affected web application. The vendor was contacted early but has not provided a patch or response, and no official fixes are currently available. The exploit code is publicly accessible, increasing the risk of exploitation, although no active exploitation has been reported so far. The CVSS 4.0 vector indicates network attack vector, low attack complexity, no privileges required, but user interaction is necessary, with limited impact on confidentiality and integrity, and no impact on availability.

The primary impact of this vulnerability is on the confidentiality and integrity of data accessed through web applications using rethinkdb’s Secondary Index Handler. Successful exploitation could allow attackers to steal session tokens, credentials, or other sensitive information from users, potentially leading to account compromise or unauthorized actions. While the vulnerability does not directly affect system availability, the resulting compromise could facilitate further attacks or data breaches. Organizations relying on rethinkdb in web-facing environments, especially those exposing administrative or query interfaces, are at risk. The lack of vendor response and patches increases exposure time, and the public availability of exploit code lowers the barrier for attackers. However, the requirement for user interaction limits automated mass exploitation. Overall, the threat is moderate but significant for environments where rethinkdb is accessible to untrusted users.

Since no official patches are available, organizations should implement compensating controls to reduce risk. These include restricting access to rethinkdb interfaces to trusted networks or VPNs, implementing strict input validation and output encoding on any web applications interacting with rethinkdb, and employing Content Security Policy (CSP) headers to limit the impact of injected scripts. Monitoring and logging access to rethinkdb endpoints can help detect suspicious activity. Additionally, educating users about the risks of clicking untrusted links can reduce successful exploitation. Organizations should also consider upgrading to newer versions of rethinkdb if and when patches become available or migrating to alternative database solutions with active security support. Regular security assessments and penetration testing focusing on web interfaces can help identify and remediate similar vulnerabilities.