Skip to main content

Sprout Clients CVE-2026-32424

| EUVDEUVD-2026-11953 MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2026-03-13 Patchstack
6.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
6.5 MEDIUM
AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

3
EUVD ID Assigned
Mar 13, 2026 - 16:57 euvd
EUVD-2026-11953
Analysis Generated
Mar 13, 2026 - 16:57 vuln.today
CVE Published
Mar 13, 2026 - 11:42 nvd
MEDIUM 6.5

DescriptionCVE.org

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in BoldGrid Sprout Clients sprout-clients allows Stored XSS.This issue affects Sprout Clients: from n/a through <= 3.2.2.

AnalysisAI

BoldGrid Sprout Clients contains a Stored Cross-Site Scripting (XSS) vulnerability in web page generation that allows authenticated users to inject and execute arbitrary JavaScript. The vulnerability affects Sprout Clients version 3.2.2 and earlier, enabling attackers with login credentials to compromise other users viewing affected pages. While the CVSS score of 6.5 indicates medium severity with network accessibility and low attack complexity, the stored nature of the XSS and requirement for user interaction (UI:R) limits immediate widespread automated exploitation.

Technical ContextAI

This vulnerability is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation), a classic server-side input validation failure where untrusted user input is rendered directly into HTML/JavaScript contexts without proper sanitization or encoding. The BoldGrid Sprout Clients product (identifiable via CPE cpe:2.3:a:boldgrid:sprout-clients) is a WordPress-related hosting and web management platform that generates dynamic web pages. The root cause involves the web page generation mechanism failing to sanitize HTML/JavaScript in user-controlled inputs, allowing stored payloads to execute in victims' browsers with the privileges of the authenticated session. This is particularly dangerous in platform-as-a-service contexts where multiple users share infrastructure.

RemediationAI

Upgrade BoldGrid Sprout Clients to version 3.2.3 or later immediately, as this patch should contain input sanitization fixes addressing CWE-79. Until patches can be deployed, implement compensating controls by enforcing HTML entity encoding on all user inputs before rendering in web pages, implementing Content Security Policy (CSP) headers to restrict script execution, and conducting input validation on all form submissions. Additionally, restrict administrative access to trusted IP ranges, enable audit logging for content modifications, and consider temporarily disabling user-editable content features if feasible. Review BoldGrid's official security advisory for detailed patch notes and verify patch applicability to your specific deployment configuration.

Share

CVE-2026-32424 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy