Skip to main content

Xibo CMS CVE-2026-31952

| EUVD-2026-25357 HIGH
SQL Injection (CWE-89)
2026-04-24 GitHub_M
SQLi Microsoft
7.6
CVSS 3.1
Share

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
Low
Availability
Low

Lifecycle Timeline

7
Patch released
Apr 27, 2026 - 14:33 nvd
Patch available
Re-analysis Queued
Apr 24, 2026 - 14:52 vuln.today
cvss_changed
Patch available
Apr 24, 2026 - 02:31 EUVD
Analysis Generated
Apr 24, 2026 - 00:48 vuln.today
EUVD ID Assigned
Apr 24, 2026 - 00:15 euvd
EUVD-2026-25357
Analysis Generated
Apr 24, 2026 - 00:15 vuln.today
CVE Published
Apr 24, 2026 - 00:05 nvd
HIGH 7.6

DescriptionNVD

Xibo is an open source digital signage platform with a web content management system and Windows display player software. Versions 1.7 through 4.4.0 have an SQL injection vulnerability in the API routes inside the CMS responsible for Filtering DataSets. This allows an authenticated user to to obtain and modify arbitrary data from the Xibo database by injecting specially crafted values in to the API filter parameter. Exploitation of the vulnerability is possible on behalf of an authorized user who has either of the Access to DataSet Feature privilege or the Access to the Layout Feature privilege. Users should upgrade to version 4.4.1 which fixes this issue. Customers who host their CMS with Xibo Signage have been patched if they are using 4.4, 4.3, 3.3, 2.3 or 1.8. Upgrading to a fixed version is necessary to remediate. Patches are available for earlier versions of Xibo CMS that are out of support, namely 3.3, 2.3, and 1.8.

AnalysisAI

SQL injection in Xibo CMS versions 1.7 through 4.4.0 allows authenticated users with DataSet or Layout access privileges to extract and modify arbitrary database contents via crafted API filter parameters. The vulnerability affects a widely-deployed open source digital signage platform and has been addressed in version 4.4.1, with patches retroactively provided for out-of-support versions (3.3, 2.3, 1.8) indicating vendor awareness of active deployments on legacy versions. …

Sign in for full analysis, threat intelligence, and remediation guidance.

RemediationAI

Within 24 hours: Identify all Xibo CMS deployments across infrastructure and document version numbers; restrict API access to non-administrative users pending remediation. Within 7 days: Upgrade all instances to version 4.4.1 or apply vendor-provided patches for legacy versions 3.3, 2.3, and 1.8; prioritize upgrades for systems with external-facing APIs. …

Sign in for detailed remediation steps.

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

Sign in - Free

More from same product – last 7 days

CVE-2026-10044 HIGH POC
8.2 May 28

{filename} endpoint. The flawed traversal guard only rejects forward slashes and '..' sequences, so absolute Windows pat
CVE-2026-40412 CRITICAL
10.0 May 22

Remote code execution in Microsoft Azure Orbital Spatio allows unauthenticated network attackers to upload dangerous fil
CVE-2026-41104 CRITICAL
10.0 May 22

Unsafe deserialization in Microsoft Planetary Computer Pro (Geocatalog) lets a remote unauthenticated attacker craft mal
CVE-2026-23652 CRITICAL
10.0 May 22

Remote code execution in Microsoft Power Pages allows unauthenticated network attackers to inject and execute operating-
CVE-2026-47280 CRITICAL
10.0 May 22

Privilege elevation in Microsoft Azure Resource Manager (ARM) allows remote unauthenticated attackers to bypass authenti

Share

CVE-2026-31952 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy