Skip to main content

Xibo CMS CVE-2026-31955

| EUVDEUVD-2026-25366 MEDIUM
Server-Side Request Forgery (SSRF) (CWE-918)
2026-04-24 security-advisories@github.com
4.9
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
4.9 MEDIUM
AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

6
Patch released
Apr 27, 2026 - 14:43 nvd
Patch available
Patch available
Apr 24, 2026 - 03:01 EUVD
Analysis Generated
Apr 24, 2026 - 01:30 vuln.today
EUVD ID Assigned
Apr 24, 2026 - 01:22 euvd
EUVD-2026-25366
Analysis Generated
Apr 24, 2026 - 01:22 vuln.today
CVE Published
Apr 24, 2026 - 01:16 nvd
MEDIUM 4.9

DescriptionGitHub Advisory

Xibo is an open source digital signage platform with a web content management system and Windows display player software. An authenticated Server-Side Request Forgery (SSRF) vulnerability in versions prior to 4.4.1 allows users with DataSet permissions to make arbitrary HTTP requests from the CMS server to internal or external network resources. This can be exploited to scan internal infrastructure, access local cloud metadata endpoints (e.g., AWS IMDS), interact with internal services that lack authentication, or exfiltrate data. Exploitation of the vulnerability is possible on behalf of an authorized user who has both of the following privileges, which are not granted to non-admins as standard: Include "Add DataSet" button to allow for additional DataSets to be created independently to Layouts. Users should upgrade to version 4.4.1 which fixes this issue. Upgrading to a fixed version is necessary to remediate. Users unable to upgrade should revoke such privileges from users they do not trust.

AnalysisAI

Server-Side Request Forgery in Xibo CMS prior to version 4.4.1 allows high-privilege authenticated users with DataSet permissions to make arbitrary HTTP requests from the CMS server to internal or external resources, enabling infrastructure reconnaissance, cloud metadata access (e.g., AWS IMDS), and potential data exfiltration. Exploitation requires both 'Add DataSet' privilege and DataSet management capabilities, which are not default non-admin permissions, limiting the attack surface to trusted insiders or compromised administrative accounts.

Technical ContextAI

The vulnerability resides in Xibo's DataSet functionality, which allows creation and management of data sources for digital signage layouts. When users with DataSet creation privileges (specifically the 'Add DataSet' permission) interact with the DataSet management interface, insufficient input validation on URL or data source endpoints permits Server-Side Request Forgery attacks classified under CWE-918 (Server-Side Request Forgery). The CMS server processes attacker-controlled requests on behalf of the application, allowing bypass of network segmentation and access controls that would normally prevent direct client-to-internal-resource communication. This is a classic SSRF pattern where user input intended for benign data aggregation is repurposed to probe internal infrastructure, access cloud metadata services (AWS IMDS, GCP metadata), or interact with unauthenticated internal services.

RemediationAI

Upgrade Xibo CMS to version 4.4.1 or later, which includes fixes for the SSRF vulnerability in DataSet handling. This is the primary and recommended remediation. For organizations unable to immediately patch, revoke the 'Add DataSet' privilege from all users except those with explicitly verified business requirements and administrative oversight. This compensating control eliminates the immediate exploitation path while preserving read-only DataSet access if needed. Review and audit current DataSet privilege assignments to identify which users possess both 'Add DataSet' and DataSet management capabilities; restrict these to only necessary administrative personnel. As an additional network-level control, implement firewall rules to restrict the CMS server's outbound HTTP/HTTPS traffic to only necessary external services, explicitly blocking access to internal IP ranges (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, 127.0.0.1/8) and cloud metadata endpoints (169.254.169.254 for AWS). Note: this control may impact legitimate DataSet integrations that rely on internal data sources, requiring careful assessment before deployment. Detailed patch and workaround guidance is available in the GitHub security advisory: https://github.com/xibosignage/xibo-cms/security/advisories/GHSA-5q58-9vhx-xg2p.

Share

CVE-2026-31955 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy