Skip to main content

Xibo CMS CVE-2026-31956

| EUVDEUVD-2026-25367 MEDIUM
Authorization Bypass Through User-Controlled Key (CWE-639)
2026-04-24 security-advisories@github.com
4.3
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
4.3 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
None

Lifecycle Timeline

6
Patch released
Apr 27, 2026 - 14:44 nvd
Patch available
Patch available
Apr 24, 2026 - 03:01 EUVD
Analysis Generated
Apr 24, 2026 - 01:30 vuln.today
EUVD ID Assigned
Apr 24, 2026 - 01:22 euvd
EUVD-2026-25367
Analysis Generated
Apr 24, 2026 - 01:22 vuln.today
CVE Published
Apr 24, 2026 - 01:16 nvd
MEDIUM 4.3

DescriptionGitHub Advisory

Xibo is an open source digital signage platform with a web content management system and Windows display player software. Prior to version 4.4.1, any authenticated user can manually construct a URL to preview campaigns/regions, and export saved reports belonging to other users. Exploitation of the vulnerability is possible on behalf of an authorized user who has any of the following privileges: Page which shows all Layouts that have been created for the purposes of Layout Management; page which shows all Campaigns that have been created for the purposes of Campaign Management; and page which shows all Reports that have been Saved. Users should upgrade to version 4.4.1 which fixes this issue. Upgrading to a fixed version is necessary to remediate.

AnalysisAI

Xibo CMS before version 4.4.1 allows authenticated users to bypass access controls and view campaigns, regions, and reports belonging to other users by manually constructing preview URLs. The vulnerability affects any authenticated user with Layout Management, Campaign Management, or Report viewing privileges and results in unauthorized information disclosure with no impact on data integrity or availability.

Technical ContextAI

Xibo is an open-source digital signage platform consisting of a web-based content management system (CMS) and Windows display player software. The vulnerability stems from inadequate authorization checks on preview and export functionality (CWE-639: Authorization Through User-Controlled Key), where the application fails to verify that the requesting user owns or has explicit permission to access the resource being previewed or exported. The flaw affects three distinct functional areas: Layout Management pages displaying all created layouts, Campaign Management pages displaying all campaigns, and Report pages displaying saved reports. Attackers exploit this by manipulating URL parameters to reference other users' resources, bypassing the intended access control model.

RemediationAI

The primary remediation is to upgrade Xibo CMS to version 4.4.1 or later, which implements proper authorization checks on preview and export endpoints. Organizations unable to patch immediately should restrict access to Layout Management, Campaign Management, and Report viewing pages to trusted users only, using network access controls or web application firewall rules to limit who can reach these URLs. Additionally, implement monitoring on preview and export endpoints to detect suspicious URL parameter manipulation targeting resources not owned by the requesting user. Separate user accounts by functional role (Layout managers, Campaign managers, Report viewers) and use minimal-privilege assignment to reduce the attack surface. These compensating controls do not eliminate the vulnerability but significantly reduce the likelihood and impact of exploitation by limiting the pool of authenticated users who can access these pages.

Share

CVE-2026-31956 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy