Skip to main content

CVE-2026-29969

| EUVDEUVD-2026-16299 MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2026-03-26 mitre GHSA-8qx2-56wc-5hxh
6.1
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
6.1 MEDIUM
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

3
EUVD ID Assigned
Mar 26, 2026 - 19:16 euvd
EUVD-2026-16299
Analysis Generated
Mar 26, 2026 - 19:16 vuln.today
CVE Published
Mar 26, 2026 - 00:00 nvd
MEDIUM 6.1

DescriptionCVE.org

A cross-site scripting (XSS) vulnerability in the wff_cols_pref.css.aspx endpoint of staffwiki v7.0.1.19219 allows attackers to execute arbitrary Javascript in the context of the user's browser via a crafted HTTP request.

AnalysisAI

StaffWiki v7.0.1.19219 contains a reflected cross-site scripting (XSS) vulnerability in the wff_cols_pref.css.aspx endpoint that enables remote attackers to execute arbitrary JavaScript in a user's browser context through a crafted HTTP request. The vulnerability affects StaffWiki versions up to at least 7.0.1.19219, and publicly available exploit code has been disclosed via GitHub, though no active exploitation has been confirmed by CISA at the time of analysis.

Technical ContextAI

The vulnerability resides in the wff_cols_pref.css.aspx endpoint of StaffWiki, a web-based staff directory and collaboration platform. The root cause is insufficient input validation and output encoding on user-supplied parameters passed to this endpoint, allowing attacker-controlled data to be reflected directly into the HTTP response and executed as trusted JavaScript within the victim's browser. This is a classic reflected XSS vulnerability (CWE-79: Improper Neutralization of Input During Web Page Generation). The affected product is identified via CPE as StaffWiki (though the specific CPE vendor and product identifiers are marked as 'n/a' in the available data), and the confirmed affected version is 7.0.1.19219. The EUVD ID EUVD-2026-16299 cross-references this issue in the EU vulnerability disclosure registry.

RemediationAI

Organizations using StaffWiki should immediately apply the latest security patch from the StaffWiki vendor. At this time, no specific patched version number has been confirmed in the provided data, so administrators should consult the official StaffWiki security advisory and GitHub repository (https://github.com/cmoncrook/Security-Advisories/blob/main/cve-2026-29969) for the recommended upgrade version. As an interim mitigation, restrict access to the wff_cols_pref.css.aspx endpoint via web application firewall (WAF) rules that block requests containing suspicious JavaScript payloads or script tags. Additionally, enforce Content Security Policy (CSP) headers with strict directives (e.g., script-src 'self') to limit the impact of any reflected XSS payload execution. User awareness training regarding phishing and suspicious links is also recommended, as this vulnerability relies on social engineering to deliver the malicious URL.

Share

CVE-2026-29969 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy