CVE-2026-31955

Name of the Vulnerable Software and Affected Versions Xibo versions prior to 4.4.1

Description An authenticated Server-Side Request Forgery (SSRF) allows users with DataSet permissions to make arbitrary HTTP requests from the CMS server to internal or external network resources. This can be used to scan internal infrastructure, access local cloud metadata endpoints such as AWS IMDS, interact with unauthenticated internal services, or exfiltrate data. Exploitation requires an authorized user to possess the privilege to use the "Add DataSet" button for creating additional DataSets independently to Layouts.

Recommendations Upgrade to version 4.4.1. Revoke the privilege to use the "Add DataSet" button from untrusted users as a temporary workaround.