Detect CVE-2026-47428: Vitest Browser Mode XSS via Unsanitized otelCarrier Query Parameter in Splunk
CVE-2026-47428 is a reflected Cross-Site Scripting (XSS) vulnerability in @vitest/browser versions >= 4.0.17 < 4.1.6 and >= 5.0.0-beta.0 < 5.0.0-beta.3. The browser mode development server serves the otelCarrier query parameter as unsanitized inline script content in esm-client-injector.js and serverOrchestrator.ts, allowing an attacker to inject arbitrary JavaScript into the test runner's browser context. With a CVSS of 9.6 and public PoC available, this poses a critical risk to CI/CD pipelines and developer workstations running Vitest browser mode tests, potentially enabling credential theft, session hijacking, or supply chain compromise.
MITRE ATT&CK
SPL Detection Query
index=proxy OR index=web OR index=endpoint sourcetype IN ("access_combined", "stream:http", "crowdstrike:events:sensor", "sysmon")
| eval query_string=coalesce(query_string, cs_uri_query, uri_query, url)
| search query_string="*otelCarrier*"
| rex field=query_string "otelCarrier=(?<otel_value>[^&\s]+)"
| eval is_suspicious=if(match(otel_value, "[<>\"'{}\\(\\)]"), 1, 0)
| where is_suspicious=1 OR (sourcetype="sysmon" AND process_name IN ("node", "node.exe") AND (command_line="*vitest*" OR command_line="*@vitest/browser*"))
| table _time, host, src_ip, dest_ip, uri, otel_value, process_name, command_line, user
| sort -_timeDetects suspicious otelCarrier query parameter values containing HTML/script injection characters indicative of CVE-2026-47428 exploitation, and Vitest browser mode process invocations.
Data Sources
Required Sourcetypes
False Positives & Tuning
- Legitimate OpenTelemetry distributed tracing using otelCarrier parameter in microservices architectures
- CI/CD systems running Vitest browser tests with benign otelCarrier values for trace propagation
- Security scanning tools probing for XSS vulnerabilities as part of authorized DAST testing
- URL encoding artifacts that superficially resemble injection characters in legitimate otelCarrier values
Other platforms for CVE-2026-47428
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1CVE-2026-47428 Basic XSS via otelCarrier Parameter
Expected signal: HTTP request logs showing otelCarrier parameter containing <script> tags; Node.js process spawning on port 5173; outbound network connection to attacker.lab if XSS executes successfully in browser
- Test 2CVE-2026-47428 Event Handler XSS Payload Variant
Expected signal: HTTP requests with onerror, onload event handler patterns in otelCarrier; DNS/network connections to attacker.lab from browser process if XSS executes; browser process network activity on non-standard ports
- Test 3CVE-2026-47428 CI/CD Pipeline Exploitation Simulation
Expected signal: Node.js process with vitest and --browser arguments; child browser process (Chromium/Playwright) spawned from test runner; outbound HTTP connections from browser process to external host; environment variable access logged by audit framework
References (4)
- https://github.com/vitest-dev/vitest/security/advisories/GHSA-2h32-95rg-cppp
- https://github.com/vitest-dev/vitest/blob/cba2036a197ec8ed42c35a37db78ef07192202c7/packages/browser/src/client/public/esm-client-injector.js#L41
- https://github.com/vitest-dev/vitest/blob/cba2036a197ec8ed42c35a37db78ef07192202c7/packages/browser/src/node/serverOrchestrator.ts#L48
- https://github.com/advisories/GHSA-2h32-95rg-cppp
Unlock Pro Content
Get the full detection package for CVE-2026-47428 including response playbook, investigation guide, and atomic red team tests.