EUVD-2026-25367CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Lifecycle Timeline
2DescriptionNVD
Xibo is an open source digital signage platform with a web content management system and Windows display player software. Prior to version 4.4.1, any authenticated user can manually construct a URL to preview campaigns/regions, and export saved reports belonging to other users. Exploitation of the vulnerability is possible on behalf of an authorized user who has any of the following privileges: Page which shows all Layouts that have been created for the purposes of Layout Management; page which shows all Campaigns that have been created for the purposes of Campaign Management; and page which shows all Reports that have been Saved. Users should upgrade to version 4.4.1 which fixes this issue. Upgrading to a fixed version is necessary to remediate.
AnalysisAI
Xibo CMS before version 4.4.1 allows authenticated users to bypass access controls and view campaigns, regions, and reports belonging to other users by manually constructing preview URLs. The vulnerability affects any authenticated user with Layout Management, Campaign Management, or Report viewing privileges and results in unauthorized information disclosure with no impact on data integrity or availability.
Sign in for full analysis, threat intelligence, and remediation guidance.
More from same product – last 7 days
Improperly Controlled Modification of Dynamically-Determined Object Attributes vulnerability in Apache Camel Camel-Coap
Deserialization of untrusted data in Microsoft Bing allows an unauthorized attacker to execute code over a network.
Server-side request forgery (ssrf) in Microsoft Entra ID Entitlement Management allows an unauthorized attacker to perfo
Privilege escalation in Azure IoT Central enables authenticated attackers to gain unauthorized access to sensitive infor
The fix for CVE-2025-27636 added setLowerCase(true) to HttpHeaderFilterStrategy so that case-variant header names such a
Share
External POC / Exploit Code
Leaving vuln.today