CVE-2026-47428 IBM QRadar · QRadar

Detect CVE-2026-47428: Vitest Browser Mode XSS via Unsanitized otelCarrier Query Parameter in IBM QRadar

CVE-2026-47428 is a reflected Cross-Site Scripting (XSS) vulnerability in @vitest/browser versions >= 4.0.17 < 4.1.6 and >= 5.0.0-beta.0 < 5.0.0-beta.3. The browser mode development server serves the otelCarrier query parameter as unsanitized inline script content in esm-client-injector.js and serverOrchestrator.ts, allowing an attacker to inject arbitrary JavaScript into the test runner's browser context. With a CVSS of 9.6 and public PoC available, this poses a critical risk to CI/CD pipelines and developer workstations running Vitest browser mode tests, potentially enabling credential theft, session hijacking, or supply chain compromise.

MITRE ATT&CK

Tactic
Execution Lateral Movement Initial Access

QRadar Detection Query

IBM QRadar (QRadar)
sql 
SELECT DATEFORMAT(starttime, 'YYYY-MM-dd HH:mm:ss') as 'Event Time', sourceip, destinationip, URL, username, QIDNAME(qid) as 'Event Name', magnitude
FROM events
WHERE LOGSOURCETYPENAME(devicetype) IN ('Apache HTTP Server', 'Nginx', 'Microsoft IIS', 'Proxy') 
AND URL ILIKE '%otelCarrier=%'
AND (URL ILIKE '%<%' OR URL ILIKE '%>%' OR URL ILIKE '%<script%' OR URL ILIKE '%javascript:%' OR URL ILIKE '%onerror=%' OR URL ILIKE '%onload=%')
AND starttime > NOW() - 7 DAYS
ORDER BY starttime DESC
LIMIT 500
critical severity medium confidence

QRadar AQL query detecting HTTP requests containing otelCarrier parameters with XSS injection payloads targeting Vitest browser mode CVE-2026-47428.

Data Sources

QRadar SIEMWeb Server LogsProxy LogsNetwork Flow Data

Required Tables

events

False Positives & Tuning

  • Legitimate telemetry propagation headers that contain special characters as part of base64-encoded trace IDs
  • Web application firewalls logging blocked requests that contain otelCarrier XSS patterns from scanners
  • Developer tools or browser extensions that inject otelCarrier parameters for debugging purposes
  • Log aggregation systems that decode URL-encoded characters causing false pattern matches

Other platforms for CVE-2026-47428

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1CVE-2026-47428 Basic XSS via otelCarrier Parameter

    Expected signal: HTTP request logs showing otelCarrier parameter containing <script> tags; Node.js process spawning on port 5173; outbound network connection to attacker.lab if XSS executes successfully in browser

  2. Test 2CVE-2026-47428 Event Handler XSS Payload Variant

    Expected signal: HTTP requests with onerror, onload event handler patterns in otelCarrier; DNS/network connections to attacker.lab from browser process if XSS executes; browser process network activity on non-standard ports

  3. Test 3CVE-2026-47428 CI/CD Pipeline Exploitation Simulation

    Expected signal: Node.js process with vitest and --browser arguments; child browser process (Chromium/Playwright) spawned from test runner; outbound HTTP connections from browser process to external host; environment variable access logged by audit framework

Last updated: 2026-06-25 Research depth: standard
References (4)

Unlock Pro Content

Get the full detection package for CVE-2026-47428 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Tactic Hubs

TA0002ExecutionTA0008Lateral MovementTA0001Initial Access

Related Techniques

T1059.007JavaScriptT1190Exploit Public-Facing ApplicationT1552.001Credentials In Files

Same Tactic: Execution

Popular Detections