External risk intelligence

Scalar Proxy can be hacked to run malicious code on your systems.

CVE advisorySeverity: CRITICAL (CVSS 9.8)

CVE-2026-30117

Scalar Proxy has a critical flaw allowing attackers to upload malicious files and run unauthorized code on your systems remotely, potentially impacting internet-facing systems.

5Halo Surface Signal

Code Injection

External exposure likelihood

Halo Surface Signal score for CVE-2026-30117

The vulnerability resides in a proxy endpoint specifically designed to process external URL requests. As a component that acts as a gateway for external traffic, its standard deployment involves internet exposure to perform its core function of handling network-based requests.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Horizon Alert

Summary of the vulnerability and why it matters

An arbitrary file upload vulnerability exists in the Scalar Proxy endpoint of scalar/astro. This allows unauthorized code execution by uploading a malicious SVG file through a specific query parameter. Teams should pay attention because this could lead to compromise of systems that use this proxy.

  • Allows remote code execution.
  • Affects systems processing external URLs.
  • Reached from the internet.

Attack Path

How an attacker could exploit the issue

An attacker can exploit this arbitrary file upload vulnerability to achieve remote code execution. By crafting a malicious SVG file and uploading it through the vulnerable `scalar_url` parameter in the Scalar Proxy endpoint, an attacker can bypass security controls and execute arbitrary code on the target system. This is particularly concerning as it requires no prior authentication or user interaction.

  • No authentication required.
  • Targets Scalar Proxy endpoint.
  • Upload malicious SVG file.

Live Threat

Current exploitation, exposure, and threat context

This arbitrary file upload vulnerability allows unauthenticated code execution through crafted SVG files. Its network-accessible nature and lack of authentication requirements make it an attractive target for attackers seeking to compromise systems remotely. The ease of exploitation suggests it could be rapidly weaponized if malicious actors identify widespread deployment.

  • No known exploitation in the wild.
  • No public exploit code available.
  • No KEV listing.

Priority actions

Operational Fix

Recommended remediation, mitigation, and detection steps

Prioritize blocking or isolating services using scalar/astro v0.1.13 due to its critical arbitrary file upload vulnerability that allows for remote code execution. Focus immediate efforts on identifying and containing affected systems before attempting remediation.

  • Block malicious traffic to the Scalar Proxy endpoint.
  • Isolate affected services if patching is delayed.
  • Monitor for signs of exploitation.

Frequently asked questions

What is scalar/astro and its Scalar Proxy endpoint?

Scalar/astro is a software component used for rendering API references, often within the Astro framework. It includes a Scalar Proxy endpoint that acts as a gateway, forwarding requests to a specified target URL via the `scalar_url` query parameter. This proxy is designed to handle external URLs and can be configured to manage cross-origin requests.

What is the weakness class of CVE-2026-30117?

CVE-2026-30117 represents an arbitrary file upload vulnerability, specifically categorized under CWE-94: Improper Control of Generation of Code. This weakness allows attackers to upload files that they should not be able to, leading to potential code execution.

How can an attacker exploit CVE-2026-30117?

An attacker can exploit this vulnerability by uploading a crafted SVG file through the `scalar_url` query parameter of the Scalar Proxy endpoint. Since the endpoint does not sufficiently validate the content of fetched files, a malicious SVG containing embedded JavaScript can be uploaded and then executed by a victim's browser when rendered, leading to arbitrary code execution.

What is the relevance of CVE-2026-30117 regarding Halo Surface Signal?

The Halo Surface Signal indicates that this vulnerability is 'Very likely' to be exploited because it resides in a proxy endpoint designed to process external URL requests, implying internet exposure. Its function as a gateway for external traffic means it's intended to handle network-based requests, increasing its attack surface.

What practical steps can be taken to respond to this vulnerability?

To address CVE-2026-30117, organizations should prioritize isolating affected systems running scalar/astro v0.1.13. Blocking malicious traffic to the Scalar Proxy endpoint is a critical immediate step. If patching is delayed, isolating services is recommended. Continuous monitoring for signs of exploitation is also advised.

References

Sources and related resources

Primary sources: NVD, CVE.org.

NVDPublished Modified