Skip to main content

PHP CVE-2026-3106

| EUVDEUVD-2026-17345 CRITICAL
Cross-site Scripting (XSS) (CWE-79)
2026-03-31 INCIBE
9.3
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
9.3 CRITICAL
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

4
EUVD ID Assigned
Mar 31, 2026 - 09:15 euvd
EUVD-2026-17345
Analysis Generated
Mar 31, 2026 - 09:15 vuln.today
Patch released
Mar 31, 2026 - 09:15 nvd
Patch available
CVE Published
Mar 31, 2026 - 08:51 nvd
CRITICAL 9.3

DescriptionCVE.org

Blind Cross-Site Scripting (XSS) in Teampass, versions prior to 3.1.5.16, within the password manager login functionality in the 'contraseña' parameter of the login form 'redacted/index.php'. During failed authentication attempts, the application does not properly clean or encode the information entered by the user in the username field. As a result, arbitrary JavaScript code is automatically executed in the administrator's browser when viewing failed login entries, resulting in a blind XSS condition.

AnalysisAI

Blind Cross-Site Scripting in Teampass password manager versions prior to 3.1.5.16 allows unauthenticated remote attackers to execute arbitrary JavaScript in administrator browsers via malicious username input during failed login attempts. The vulnerability achieves high confidentiality and integrity impact (CVSS 9.3) because malicious code is stored and automatically executed when administrators review failed authentication logs, enabling potential session hijacking, credential theft, or administrative account compromise. No active exploitation confirmed via CISA KEV, though the attack requires no authentication and minimal complexity.

Technical ContextAI

Teampass is an open-source collaborative password manager built on PHP and MySQL. This vulnerability stems from improper input validation and output encoding (CWE-79) in the authentication handler at index.php. When processing failed login attempts, the application accepts arbitrary input in the 'contraseña' (password) parameter and username field without sanitization, then renders this unsanitized data in the administrative interface where login failure logs are displayed. The blind XSS nature means the payload executes in a different user context (administrator) than where it was injected (login form), making it particularly dangerous as administrators routinely review authentication logs for security monitoring. The affected CPE (cpe:2.3:a:teampass:teampass) indicates all Teampass installations below version 3.1.5.16 are vulnerable regardless of deployment configuration.

RemediationAI

Immediately upgrade Teampass to version 3.1.5.16 or later, which addresses this vulnerability along with other security issues identified by INCIBE. Download the patched version from the official Teampass repository and follow standard upgrade procedures including database backup prior to migration. Review administrator session logs and browser history for indicators of exploitation, particularly unexpected JavaScript execution or unauthorized administrative actions following authentication failure log reviews. If immediate patching is not feasible, implement Web Application Firewall rules to filter script tags and JavaScript event handlers from login form parameters, though this is an imperfect workaround. Restrict administrative interface access to trusted IP ranges and implement Content Security Policy headers to limit inline script execution. Complete advisory with additional vulnerability details available at https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-teampass.

More in PHP

View all
CVE-2012-1823 CRITICAL POC
9.8 May 11

sapi/cgi/cgi_main.c in PHP before 5.3.12 and 5.4.x before 5.4.2, when configured as a CGI script (aka php-cgi), does not

CVE-2016-1555 CRITICAL POC
9.8 Apr 21

(1) boardData102.php, (2) boardData103.php, (3) boardDataJP.php, (4) boardDataNA.php, and (5) boardDataWW.php in Netgear

CVE-2024-11680 CRITICAL POC
9.8 Nov 26

ProjectSend versions prior to r1720 are affected by an improper authentication vulnerability. Rated critical severity (C

CVE-2025-49113 CRITICAL POC
9.9 Jun 02

Roundcube Webmail contains a critical PHP object deserialization vulnerability (CVE-2025-49113, CVSS 9.9) that allows au

CVE-2017-9841 CRITICAL POC
9.8 Jun 27

Util/PHP/eval-stdin.php in PHPUnit before 4.8.28 and 5.x before 5.6.3 allows remote attackers to execute arbitrary PHP c

CVE-2025-0108 HIGH POC
8.8 Feb 12

Palo Alto Networks PAN-OS management web interface contains an authentication bypass allowing unauthenticated attackers

CVE-2021-25298 HIGH POC
8.8 Feb 15

Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re

CVE-2021-25296 HIGH POC
8.8 Feb 15

Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re

CVE-2013-4983 CRITICAL POC
10.0 Sep 10

The get_referers function in /opt/ws/bin/sblistpack in Sophos Web Appliance before 3.7.9.1 and 3.8 before 3.8.1.1 allows

CVE-2023-6553 CRITICAL POC
9.8 Dec 15

The Backup Migration plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1

CVE-2024-46506 CRITICAL POC
10.0 May 13

NetAlertX (formerly PiAlert) versions 23.01.14 through 24.x before 24.10.12 allow unauthenticated command injection thro

CVE-2024-8353 CRITICAL POC
9.8 Sep 28

The GiveWP - Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all

Share

CVE-2026-3106 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy