CVE-2026-31382 is a reflected cross-site scripting (XSS) vulnerability classified under CWE-79, affecting the Gainsight Assist product. The vulnerability arises from improper neutralization of user-supplied input in the error_description parameter during web page generation. This flaw allows an attacker to craft malicious payloads that, when reflected back to the user, execute arbitrary JavaScript code in the victim's browser context. A notable aspect of this vulnerability is the ability to bypass domain Web Application Firewalls (WAFs) using a Safari-specific onpagereveal event payload, which leverages browser-specific behavior to evade common filtering mechanisms. The vulnerability does not require authentication but does require user interaction, such as clicking a crafted link or visiting a malicious page. The CVSS v3.1 base score of 6.1 reflects a medium severity level, with attack vector being network-based, low attack complexity, no privileges required, but user interaction necessary. The scope is changed (S:C), indicating that exploitation could affect resources beyond the vulnerable component. The impact primarily affects integrity and availability, with no direct confidentiality loss reported. No patches or known exploits are currently documented, but the presence of this vulnerability in a SaaS customer engagement platform like Gainsight Assist could enable attackers to perform session hijacking, defacement, or denial of service through script execution. The vulnerability was reserved and published in March 2026 by Rapid7.

The primary impact of this vulnerability is the potential execution of arbitrary scripts in the context of users interacting with Gainsight Assist, which can lead to session hijacking, unauthorized actions, or manipulation of displayed content. Although confidentiality impact is rated none, integrity and availability impacts are low to medium, as attackers could alter user interactions or cause denial of service conditions. The ability to bypass WAF protections using a Safari-specific payload increases the risk of successful exploitation, especially against organizations relying heavily on WAFs for defense. Since Gainsight Assist is a SaaS platform used for customer success and engagement, exploitation could undermine trust, disrupt workflows, and expose organizations to reputational damage. The requirement for user interaction limits automated exploitation but does not eliminate risk, particularly in phishing or social engineering scenarios. Organizations with large user bases or sensitive customer data integrated with Gainsight Assist may face increased risk of targeted attacks leveraging this vulnerability.

To mitigate this vulnerability, organizations should implement strict input validation and output encoding on the error_description parameter to prevent injection of malicious scripts. Gainsight should be engaged to provide a patch or update that addresses this issue at the source. Until a patch is available, organizations can deploy additional WAF rules tailored to detect and block Safari-specific onpagereveal payloads, though this may require custom tuning given the bypass technique. Security teams should monitor logs for unusual URL parameters or suspicious user activity indicative of attempted XSS exploitation. User awareness training to recognize phishing attempts and suspicious links can reduce the risk of user interaction-based exploitation. Employing Content Security Policy (CSP) headers can help restrict script execution to trusted sources, mitigating impact if exploitation occurs. Regularly updating browsers and security tools will also help reduce exposure to browser-specific attack vectors. Finally, organizations should review their Gainsight Assist deployment configurations and limit exposure of vulnerable endpoints where possible.