Skip to main content

Timo CVE-2026-30162

| EUVDEUVD-2026-16187 MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2026-03-26 mitre GHSA-vh39-72c6-788j
6.1
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
6.1 MEDIUM
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

3
EUVD ID Assigned
Mar 26, 2026 - 14:30 euvd
EUVD-2026-16187
Analysis Generated
Mar 26, 2026 - 14:30 vuln.today
CVE Published
Mar 26, 2026 - 00:00 nvd
MEDIUM 6.1

DescriptionCVE.org

Cross Site Scripting (xss) vulnerability in Timo 2.0.3 via crafted links in the title field.

AnalysisAI

Timo 2.0.3 contains a stored cross-site scripting (XSS) vulnerability in the title field that allows unauthenticated remote attackers to inject malicious scripts via crafted links, resulting in session hijacking, credential theft, or malware distribution to other users viewing affected content. Publicly available exploit code exists (referenced via GitHub issue), and the vulnerability is rated CVSS 6.1 with cross-site scope impact, though no evidence of active exploitation in the wild has been confirmed at the time of analysis.

Technical ContextAI

This vulnerability exploits improper input validation and output encoding in Timo 2.0.3's title field handling, classified as CWE-79 (Improper Neutralization of Input During Web Page Generation). The root cause stems from failure to sanitize or escape user-supplied input before rendering it in HTML context, allowing attackers to embed arbitrary JavaScript payloads that execute in the browsers of users who view the crafted content. The affected product Timo (CPE information incomplete in source data) is a web-based application; the vulnerability specifically resides in the data persistence and display layer where user-submitted titles are stored and subsequently rendered without proper context-aware encoding.

RemediationAI

Upgrade Timo to a patched version released by the vendor after disclosure of CVE-2026-30162; consult the official Timo GitHub repository (https://github.com/auntvt/Timo) and NIST NVD entry (https://nvd.nist.gov/vuln/detail/CVE-2026-30162) for exact patch version availability. As an immediate interim control, restrict title field input to a whitelist of safe characters (alphanumeric, spaces, hyphens, underscores), disable HTML rendering in title display contexts, and apply output encoding (HTML entity encoding) to all dynamically rendered title values. Implement a Content Security Policy (CSP) header with strict-dynamic and script-src 'self' to mitigate the impact of any injected scripts. Until patching is available, audit existing content for suspicious or encoded payloads in title fields and consider temporarily disabling the ability to edit titles if the application permits.

Share

CVE-2026-30162 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy