Severity by source
AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Lifecycle Timeline
3DescriptionCVE.org
A stored cross-site scripting (XSS) vulnerability in Bynder v0.1.394 allows attackers to execute arbitrary web scripts or HTML via a crafted payload.
AnalysisAI
Stored cross-site scripting (XSS) in Bynder v0.1.394 allows authenticated attackers to inject and execute arbitrary web scripts or HTML through a crafted payload, affecting users who interact with malicious content. The vulnerability requires user interaction (UI:R) and authenticated access (PR:L), limiting immediate mass exploitation but posing a risk to collaborative environments where users trust stored content. No public exploit has been confirmed as actively exploited per CISA records, and EPSS/KEV status indicates lower real-world exploitation probability despite the stored XSS vector.
Technical ContextAI
Stored XSS vulnerabilities (CWE-79) occur when untrusted user input is persisted in a database or backend storage without proper sanitization or encoding, then reflected to other users via the application interface. In Bynder v0.1.394, the affected component fails to sanitize crafted payloads during storage, allowing an authenticated attacker to inject malicious HTML or JavaScript. When the stored content is rendered in another user's browser context, the injected script executes with the privileges of that user's session. The CPE data provided (n/a:n/a) suggests limited vendor-specific tracking, though Bynder's primary website and the referenced GitHub CVE repository (Henkel-CyberVM/CVEs) serve as disclosure sources. This attack differs from reflected XSS in that the payload persists and affects all users accessing the compromised content, not just those clicking a malicious link.
RemediationAI
Upgrade Bynder to a patched version beyond v0.1.394; the vendor advisory at https://www.bynder.com/en/ and NVD detail page at https://nvd.nist.gov/vuln/detail/CVE-2026-31153 should specify the minimum safe version. If a specific patched release is not yet available, implement input validation and output encoding on all user-controlled fields that are stored and later rendered, ensuring HTML/JavaScript sanitization using an allowlist-based approach (e.g., via OWASP DOMPurify or equivalent). Validate and sanitize payloads server-side before storage, and apply context-appropriate encoding (HTML entity encoding) when rendering stored content in the user interface. Review any stored content created by untrusted users and remove or sanitize known malicious payloads. The GitHub repository at https://github.com/Henkel-CyberVM/CVEs/tree/main/CVE-2026-31153 may provide additional technical details or proof-of-concept references for validation purposes.
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-19273
GHSA-vwwm-jm2x-63pj