PT-2026-34805 · Xibo · Xibo

Swarnimbandekar

Published

2026-04-24

Updated

2026-04-25

CVE-2026-31952

CVSS v3.1

8.1

High

Vector

AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

Name of the Vulnerable Software and Affected Versions Xibo versions 1.7 through 4.4.0

Description An SQL injection exists in the API routes of the CMS used for filtering DataSets. This allows an authenticated user with either the Access to DataSet Feature or Access to the Layout Feature privilege to obtain and modify arbitrary data from the database by injecting specially crafted values into the API filter parameter.

Recommendations Upgrade to version 4.4.1. For versions 3.3, 2.3, and 1.8, apply the available patches.

Fix

SQL injection

Incomplete List of Disallowed Inputs

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-89CWE-184

Related Identifiers

CVE-2026-31952

Affected Products

Xibo

PT-2026-34805 · Xibo · Xibo

CVE-2026-31952

Weakness Enumeration

Related Identifiers

Affected Products

References · 8