Swarnimbandekar

#13866of 53,632
19.4Total CVSS
Vulnerabilities · 3
Medium
2
High
1
PT-2026-34805
8.1
2026-04-24
Xibo · Xibo · CVE-2026-31952
**Name of the Vulnerable Software and Affected Versions** Xibo versions 1.7 through 4.4.0 **Description** An SQL injection exists in the API routes of the CMS used for filtering DataSets. This allows an authenticated user with either the `Access to DataSet Feature` or `Access to the Layout Feature` privilege to obtain and modify arbitrary data from the database by injecting specially crafted values into the API filter parameter. **Recommendations** Upgrade to version 4.4.1. For versions 3.3, 2.3, and 1.8, apply the available patches.
PT-2026-34812
6.4
2026-04-24
Xibo · Xibo · CVE-2026-31953
**Name of the Vulnerable Software and Affected Versions** Xibo versions prior to 4.4.1 **Description** A stored Cross-Site Scripting (XSS) issue allows an authenticated user with notification creation permissions to inject arbitrary JavaScript into the notification body. When a notification is configured as an "interrupt," the payload executes automatically in the browser of targeted users upon login without requiring interaction. This requires the attacker to have privileges to access the Notification Centre and the ability to use the "Add Notification" button, permissions typically not granted to non-administrators. **Recommendations** Upgrade to version 4.4.1. Revoke notification creation and Notification Centre access privileges from untrusted users as a temporary workaround.
PT-2026-34813
4.9
2026-04-24
Xibo · Xibo · CVE-2026-31955
**Name of the Vulnerable Software and Affected Versions** Xibo versions prior to 4.4.1 **Description** An authenticated Server-Side Request Forgery (SSRF) allows users with DataSet permissions to make arbitrary HTTP requests from the CMS server to internal or external network resources. This can be used to scan internal infrastructure, access local cloud metadata endpoints such as AWS IMDS, interact with unauthenticated internal services, or exfiltrate data. Exploitation requires an authorized user to possess the privilege to use the "Add DataSet" button for creating additional DataSets independently to Layouts. **Recommendations** Upgrade to version 4.4.1. Revoke the privilege to use the "Add DataSet" button from untrusted users as a temporary workaround.