Skip to main content

Hostbill CVE-2026-31050

| EUVDEUVD-2026-25422 MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2026-04-24 mitre GHSA-xjv5-fr35-f76p
4.9
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
4.9 MEDIUM
AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

5
Analysis Generated
Apr 24, 2026 - 17:32 vuln.today
CVSS changed
Apr 24, 2026 - 16:22 NVD
4.9 (None) 4.9 (MEDIUM)
EUVD ID Assigned
Apr 24, 2026 - 15:00 euvd
EUVD-2026-25422
Analysis Generated
Apr 24, 2026 - 15:00 vuln.today
CVE Published
Apr 24, 2026 - 00:00 nvd
MEDIUM 4.9

DescriptionCVE.org

Cross Site Scripting vulnerability in Hostbill v.2025-11-24 and 2025-12-01 allows a remote attacker to execute arbitrary code

AnalysisAI

Cross-site scripting (XSS) vulnerability in Hostbill versions 2025-11-24 and 2025-12-01 allows high-privilege remote attackers to execute arbitrary code in admin and client interface contexts without user interaction. The CVSS score of 4.9 reflects the requirement for authenticated high-privilege access, but the presence of publicly available exploit code and the vulnerability's presence in both admin and client interfaces increase real-world risk beyond the base score. The discrepancy between the CWE-79 classification (XSS) and tags indicating RCE capability suggests stored XSS enabling indirect code execution or privilege escalation within the application.

Technical ContextAI

This vulnerability is rooted in CWE-79 (Improper Neutralization of Input During Web Page Generation), a classic XSS flaw where untrusted user input is rendered in HTML/JavaScript contexts without proper sanitization or encoding. The vulnerability manifests in both Hostbill admin and client interfaces, indicating the XSS payload injection points exist in multiple application modules. The presence of RCE tags alongside XSS classification suggests the stored XSS may be chained with template injection, unsafe deserialization, or other backend execution mechanisms. The affected versions (2025-11-24 and 2025-12-01) are recent release cycles, indicating the vulnerability was introduced or discovered within weeks of the affected versions' deployment.

RemediationAI

Hostbill users should immediately upgrade to a patched version released after 2025-12-01. Check the Hostbill security advisory (https://blog.hostbillapp.com/2025/12/03/hostbill-security-advisory/) for the exact patched version number and upgrade instructions. Until patching is feasible, apply the following mitigations: (1) Restrict network access to the Hostbill admin panel to a whitelist of trusted IP addresses or require VPN/bastion access - this eliminates remote exploitation for admin-tier XSS. (2) Implement Content Security Policy (CSP) headers prohibiting inline script execution and restricting script-src to trusted domains only; this may break existing functionality so test thoroughly before production deployment. (3) Disable or restrict client-interface features that are not actively used if they are the XSS vector. (4) Monitor Hostbill application logs for suspicious admin account activity or unusual script injections in stored fields (database queries, user-generated content). Note that these controls address the attack vector but do not eliminate the underlying vulnerability; patching is mandatory for complete remediation.

Share

CVE-2026-31050 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy