CVE-2026-48518

June 15, 2026, 9:17 p.m.

4.3
Medium

Description

MultiJuicer is used to run separate Juice Shop instances on a central kubernetes cluster without the need for local instances. In versions 8.0.0 through 10.0.0, the team join endpoint (POST /multi-juicer/api/teams/{team}/join) accepted requests with any Content-Type, including text/plain. Because that content type does not trigger a CORS preflight, an attacker could host a cross-site HTML form that auto-submits to the endpoint and forces a victim's browser to log in as the attacker's team. A successful, undetected attacker can cause victims to unwittingly solve Juice Shop challenges under the attacker's team identity. In a CTF context this lets the attacker inflate their team's score using other players' activity, and any sensitive data the victim enters into "their" Juice Shop ends up in the attacker's instance. The vulnerability is exploitable without any prior authentication; the victim only needs to visit a page the attacker controls while having network access to the MultiJuicer deployment. SameSite=Strict on the session cookie does not mitigate this, because the attack plants a new cookie rather than relying on an existing one. This issue was fixed in version 10.0.1.

Product(s) Impacted

Vendor Product Versions
Multijuicer
  • Multijuicer
  • 8.0.0-10.0.0, 10.0.1

Weaknesses

Common security weaknesses mapped to this vulnerability.

CWE-352
Cross-Site Request Forgery (CSRF)
The web application does not, or can not, sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request.

*CPE(s)

Affected systems and software identified for this CVE.

Type Vendor Product Version Update Edition Language Software Edition Target Software Target Hardware Other Information
a multijuicer multijuicer 8.0.0-10.0.0 / / / / / / /
a multijuicer multijuicer 10.0.1 / / / / / / /

References

https://github.com/juice-shop/multi-juicer/commit/75b08c3fdda410781d421bfdf041fb1e913d6b49
https://github.com/juice-shop/multi-juicer/issues/525
https://github.com/juice-shop/multi-juicer/security/advisories/GHSA-h759-hf7w-j6m6

Tags

[email protected]
CWE-352
2026-06-15
CVE-2026-48518

CVSS Score

4.3 / 10

CVSS Data - 3.1

  • Attack Vector: NETWORK
  • Attack Complexity: LOW
  • Privileges Required: NONE
  • Scope: UNCHANGED
  • Confidentiality Impact: NONE
  • Integrity Impact: LOW
  • Availability Impact: NONE

    • CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

    View Vector String

Timeline

Published: June 15, 2026, 9:17 p.m.
Last Modified: June 15, 2026, 9:17 p.m.

Status : Received

CVE has been recently published to the CVE List and has been received by the NVD.

More info

Source

[email protected]

*Disclaimer: Some vulnerabilities do not have an associated CPE. To enhance the data, we use AI to infer CPEs based on CVE details. This is an automated process and might not always be accurate.