Skip to main content

Xibo CMS CVE-2026-31952

| EUVDEUVD-2026-25357 HIGH
SQL Injection (CWE-89)
2026-04-24 GitHub_M
7.6
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
7.6 HIGH
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
Low
Availability
Low

Lifecycle Timeline

7
Patch released
Apr 27, 2026 - 14:33 nvd
Patch available
Re-analysis Queued
Apr 24, 2026 - 14:52 vuln.today
cvss_changed
Patch available
Apr 24, 2026 - 02:31 EUVD
Analysis Generated
Apr 24, 2026 - 00:48 vuln.today
EUVD ID Assigned
Apr 24, 2026 - 00:15 euvd
EUVD-2026-25357
Analysis Generated
Apr 24, 2026 - 00:15 vuln.today
CVE Published
Apr 24, 2026 - 00:05 nvd
HIGH 7.6

DescriptionGitHub Advisory

Xibo is an open source digital signage platform with a web content management system and Windows display player software. Versions 1.7 through 4.4.0 have an SQL injection vulnerability in the API routes inside the CMS responsible for Filtering DataSets. This allows an authenticated user to to obtain and modify arbitrary data from the Xibo database by injecting specially crafted values in to the API filter parameter. Exploitation of the vulnerability is possible on behalf of an authorized user who has either of the Access to DataSet Feature privilege or the Access to the Layout Feature privilege. Users should upgrade to version 4.4.1 which fixes this issue. Customers who host their CMS with Xibo Signage have been patched if they are using 4.4, 4.3, 3.3, 2.3 or 1.8. Upgrading to a fixed version is necessary to remediate. Patches are available for earlier versions of Xibo CMS that are out of support, namely 3.3, 2.3, and 1.8.

AnalysisAI

SQL injection in Xibo CMS versions 1.7 through 4.4.0 allows authenticated users with DataSet or Layout access privileges to extract and modify arbitrary database contents via crafted API filter parameters. The vulnerability affects a widely-deployed open source digital signage platform and has been addressed in version 4.4.1, with patches retroactively provided for out-of-support versions (3.3, 2.3, 1.8) indicating vendor awareness of active deployments on legacy versions. EPSS data not available, but the low attack complexity (AC:L) and network vector (AV:N) combined with the broad version range (nearly 7 years of releases) suggest significant exposure across installations.

Technical ContextAI

Xibo is an open source content management system for digital signage with web-based administration and Windows display clients. The vulnerability (CWE-89: SQL Injection) exists in the API routes responsible for filtering DataSets within the CMS component. The affected product spans from version 1.7 (released approximately 2015-2016) through 4.4.0, indicating a long-standing code defect in the API's filter parameter handling. The CPE identifier cpe:2.3:a:xibosignage:xibo-cms confirms the CMS component is affected, not the display player software. SQL injection vulnerabilities occur when user-supplied input is concatenated directly into SQL queries without proper parameterization or sanitization, allowing attackers to manipulate query logic. In this case, the filter parameter in DataSet API endpoints fails to validate or escape input, enabling authenticated users to inject SQL commands that execute with the database permissions of the CMS application.

RemediationAI

Upgrade to Xibo CMS version 4.4.1 or apply version-specific patches for out-of-support releases. For current supported versions: upgrade to 4.4.1 (released at https://github.com/xibosignage/xibo-cms/releases/tag/4.4.1) which contains the definitive fix (commit ed213cb4f42d4f50cf8012e01e95bb70127fc6a4). For out-of-support versions still in production: version 3.3 patch available at commit 87e0a26b0c06e349561a6becdc00f3bb01259736, version 2.3 and 1.8 patches referenced in GHSA-rq92-f6fv-3629 advisory (specific commits b8d25fe6cb0232b645c3850afdc2499b0e46c1e6 may apply to multiple versions). Organizations using Xibo Signage hosted service on versions 4.4, 4.3, 3.3, 2.3, or 1.8 have been automatically patched and should verify patch status with their service provider. If immediate patching is not feasible, implement compensating controls: restrict API access to trusted networks via firewall rules or reverse proxy ACLs, audit and minimize users granted DataSet Feature or Layout Feature privileges (remove these permissions from accounts that do not require them), enable comprehensive database query logging to detect injection attempts (log all queries containing UNION, SELECT in filter parameters, or unusual characters like single quotes and semicolons), and implement web application firewall rules to block common SQL injection patterns in API filter parameters (note this is signature-based and may be bypassed by obfuscated payloads). Review database permissions to ensure the CMS application account operates with least privilege (no DROP, CREATE permissions if not required for normal operations). These mitigations reduce attack surface but do not eliminate the vulnerability; upgrading remains the only complete remediation.

Share

CVE-2026-31952 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy