CVE-2026-3106

Name of the Vulnerable Software and Affected Versions Teampass versions prior to 3.1.5.16

Description The application does not properly clean or encode user-provided information during failed authentication attempts. Specifically, the contraseña parameter within the login form at ‘redacted/index.php’ is susceptible to improper handling. This allows for the execution of arbitrary JavaScript code in the administrator's browser when viewing failed login entries, resulting in a blind Cross-Site Scripting (XSS) condition.

Recommendations Update Teampass to version 3.1.5.16 or later.