Magicinfo 9 Server
CVE-2026-25200
CRITICAL
Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
2DescriptionCVE.org
A vulnerability in MagicInfo9 Server allows authorized users to upload HTML files without authentication, leading to Stored XSS, which can result in account takeover
This issue affects MagicINFO 9 Server: less than 21.1090.1.
AnalysisAI
Unauthenticated file upload leading to stored XSS and potential RCE in Samsung MagicInfo9 Server. HTML files uploaded without authentication.
Technical ContextAI
CWE-434 in Samsung MagicInfo9 digital signage management. Unauthenticated HTML upload enables stored XSS leading to RCE.
RemediationAI
Apply Samsung security update. Require authentication for file uploads.
More in Magicinfo 9 Server
View allSamsung MagicINFO 9 Server contains a path traversal vulnerability allowing unauthenticated attackers to write arbitrary
Hardcoded database credentials in Samsung MagicInfo9 Server allow direct database access and manipulation.
Remote code execution in MagicInfo 9 Server (versions prior to 21.1090.1) allows unauthenticated attackers to upload arb
Same technique File Upload
View allShare
External POC / Exploit Code
Leaving vuln.today