Severity by source
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Lifecycle Timeline
3DescriptionCVE.org
A cross-site scripting (XSS) vulnerability in the wff_cols_pref.css.aspx endpoint of staffwiki v7.0.1.19219 allows attackers to execute arbitrary Javascript in the context of the user's browser via a crafted HTTP request.
AnalysisAI
StaffWiki v7.0.1.19219 contains a reflected cross-site scripting (XSS) vulnerability in the wff_cols_pref.css.aspx endpoint that enables remote attackers to execute arbitrary JavaScript in a user's browser context through a crafted HTTP request. The vulnerability affects StaffWiki versions up to at least 7.0.1.19219, and publicly available exploit code has been disclosed via GitHub, though no active exploitation has been confirmed by CISA at the time of analysis.
Technical ContextAI
The vulnerability resides in the wff_cols_pref.css.aspx endpoint of StaffWiki, a web-based staff directory and collaboration platform. The root cause is insufficient input validation and output encoding on user-supplied parameters passed to this endpoint, allowing attacker-controlled data to be reflected directly into the HTTP response and executed as trusted JavaScript within the victim's browser. This is a classic reflected XSS vulnerability (CWE-79: Improper Neutralization of Input During Web Page Generation). The affected product is identified via CPE as StaffWiki (though the specific CPE vendor and product identifiers are marked as 'n/a' in the available data), and the confirmed affected version is 7.0.1.19219. The EUVD ID EUVD-2026-16299 cross-references this issue in the EU vulnerability disclosure registry.
RemediationAI
Organizations using StaffWiki should immediately apply the latest security patch from the StaffWiki vendor. At this time, no specific patched version number has been confirmed in the provided data, so administrators should consult the official StaffWiki security advisory and GitHub repository (https://github.com/cmoncrook/Security-Advisories/blob/main/cve-2026-29969) for the recommended upgrade version. As an interim mitigation, restrict access to the wff_cols_pref.css.aspx endpoint via web application firewall (WAF) rules that block requests containing suspicious JavaScript payloads or script tags. Additionally, enforce Content Security Policy (CSP) headers with strict directives (e.g., script-src 'self') to limit the impact of any reflected XSS payload execution. User awareness training regarding phishing and suspicious links is also recommended, as this vulnerability relies on social engineering to deliver the malicious URL.
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-16299
GHSA-8qx2-56wc-5hxh