Skip to main content

ADPhonebook CVE-2026-36460

| EUVDEUVD-2026-34140 MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2026-06-03 mitre GHSA-5c2q-xgpr-q68v
4.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
4.8 MEDIUM
AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

3
Analysis Generated
Jun 08, 2026 - 17:29 vuln.today
CVSS changed
Jun 08, 2026 - 17:22 NVD
4.8 (MEDIUM)
CVE Published
Jun 03, 2026 - 00:00 nvd
UNKNOWN (no severity yet)

DescriptionCVE.org

Dovestones Softwares ADPhonebook before v4.0.1.1 is vulnerable to a Cross Site Scripting vulnerability. The /Admin/Save API allows an authenticated admin user to store malicious JavaScript payloads in multiple configuration sections without proper input validation or output encoding.

AnalysisAI

Stored Cross-Site Scripting in Dovestones Softwares ADPhonebook before v4.0.1.1 permits authenticated admin users to inject persistent JavaScript payloads via the /Admin/Save API endpoint. Because multiple configuration sections lack input validation and output encoding, injected scripts survive across sessions and execute in any victim's browser when the affected configuration pages are loaded, with CVSS scope change (S:C) confirming cross-user impact beyond the planting admin. No public exploitation identified at time of analysis; EPSS is 0.02% (5th percentile), though a publicly available proof-of-concept gist exists at the referenced GitHub URL.

Technical ContextAI

CWE-79 (Improper Neutralization of Input During Web Page Generation) describes a failure to sanitize user-supplied data before rendering it as HTML or JavaScript in a browser context. In ADPhonebook, the /Admin/Save API endpoint accepts configuration payloads and persists them to storage without server-side input validation or context-aware output encoding. When those configuration values are later retrieved and rendered in the admin UI, the raw payload is executed by the browser as script. The CVSS vector S:C (Scope Changed) is technically significant: it confirms the injected payload can affect security principals other than the admin who stored it - meaning a single malicious configuration write can compromise multiple user sessions. CPE data returned as n/a by NVD, so exact platform and OS context are not confirmed; the product is a Windows-based Active Directory phonebook tool based on the vendor download page context.

RemediationAI

Upgrade ADPhonebook to v4.0.1.1 or later - this is the fix version indicated by the CVE description and the vendor download page at https://dovestones.com/download/. Note that the patched version is inferred from the vulnerability description and has not been independently confirmed via a dedicated vendor security advisory. If immediate upgrade is not feasible, restrict access to the ADPhonebook admin panel to a dedicated management VLAN or trusted IP ranges using firewall or reverse-proxy ACLs; this prevents unauthorized parties from reaching the /Admin/Save API entirely. Additionally, enforce the principle of least privilege by minimizing the number of accounts with admin access to the application, and review existing configuration sections for anomalous or unexpected script content as an indicator of prior exploitation. Monitor admin session activity for unusual configuration changes as a compensating detective control.

More in N A

View all
CVE-2026-31072 CRITICAL POC
9.8 May 19

Remote code execution in APScheduler (all versions through 3.10.x and 4.0.0a5) is achievable when applications deseriali

CVE-2026-36356 CRITICAL POC
9.1 May 05

Unauthenticated remote OS command injection in MeiG Smart FORGE_SLT711 cellular gateway firmware MDM9607.LE.1.0-00110-ST

CVE-2026-31071 CRITICAL POC
9.1 May 19

Unauthenticated API access in LalanaChami Pharmacy Management System (commit 5c3d028) allows remote attackers to dump al

CVE-2025-66391 HIGH POC
8.8 Jun 17

In Citrix Cloud through 2025-11-10, an account with read-only access can trigger the beginning of a workflow for write o

CVE-2026-26740 HIGH POC
8.2 Mar 18

Giflib 5.2.2 contains a buffer overflow in the EGifGCBToExtension function that fails to validate allocated memory when

CVE-2025-60464 HIGH POC
7.8 Jun 25

Denial of service in GPAC's MP4Box multimedia tool (versions before 26.02.0) arises from a use-after-free in the gf_sei_

CVE-2026-36355 HIGH POC
7.7 May 05

Arbitrary kernel memory read/write in Realtek rtl819x Jungle SDK Wi-Fi driver allows local unprivileged attackers to acc

CVE-2025-60474 HIGH POC
7.5 Jun 24

Denial of service in GPAC's MP4Box/libgpac media importer (versions before 26.02.0) lets an attacker crash the tool by s

CVE-2026-38639 HIGH POC
7.5 Jun 26

An issue in the parse_month function (/time/strptime.rs) of relibc commit ab6a2e allows attackers to cause a Denial of S

CVE-2026-38641 HIGH POC
7.5 Jun 26

Denial of service in relibc (the Redox OS C standard library) at commit 61f42d allows attackers to crash a process by ge

CVE-2026-38637 HIGH POC
7.5 Jun 25

An issue in the pthread_rwlockattr_setpshared() function of relibc commit 61f42d allows attackers to cause a Denial of S

CVE-2026-38640 HIGH POC
7.5 Jun 25

Denial of service in relibc (the Redox OS C standard library implementation, commit 61f42d) lets attackers crash a proce

Share

CVE-2026-36460 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy