CVE-2026-31953

Name of the Vulnerable Software and Affected Versions Xibo versions prior to 4.4.1

Description A stored Cross-Site Scripting (XSS) issue allows an authenticated user with notification creation permissions to inject arbitrary JavaScript into the notification body. When a notification is configured as an "interrupt," the payload executes automatically in the browser of targeted users upon login without requiring interaction. This requires the attacker to have privileges to access the Notification Centre and the ability to use the "Add Notification" button, permissions typically not granted to non-administrators.

Recommendations Upgrade to version 4.4.1. Revoke notification creation and Notification Centre access privileges from untrusted users as a temporary workaround.