Skip to main content

Xibo CMS CVE-2026-42558

HIGH
Cross-site Scripting (XSS) (CWE-79)
2026-06-10 GitHub_M
7.6
CVSS 3.1 · Vendor: GitHub_M
Share

Severity by source

Vendor (GitHub_M) PRIMARY
7.6 HIGH
AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:N
vuln.today AI
7.6 HIGH

Network-reachable CMS, low-complexity stored payload, attacker needs the non-default Add DataSet privilege (PR:L), victim must view content (UI:R), sandbox escape crosses scope to admin context.

3.1 AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:N
4.0 AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:L/VA:N/SC:H/SI:L/SA:N

Primary rating from Vendor (GitHub_M).

CVSS VectorVendor: GitHub_M

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
Required
Scope
Changed
Confidentiality
High
Integrity
Low
Availability
None

Lifecycle Timeline

2
Analysis Generated
Jun 10, 2026 - 22:54 vuln.today
CVE Published
Jun 10, 2026 - 21:39 cve.org
HIGH 7.6

DescriptionCVE.org

Xibo is an open source digital signage platform with a web content management system and Windows display player software. Prior to 4.4.2, a vulnerability chain consisting of Stored XSS and Iframe Sandbox escape in the Xibo CMS allows users with DataSet permissions to use the Data Connector functionality to craft messages which escape the sandbox and facilitate XSS. Exploitation of the vulnerability is possible on behalf of an authorized user who has both of the following privileges, which are not granted to non-admins as standard: Include "Add DataSet" button to allow for additional DataSets to be created independently to Layouts Users should upgrade to version 4.4.2 which fixes this issue. Upgrading to a fixed version is necessary to remediate. Users unable to upgrade should revoke such privileges from users they do not trust.

AnalysisAI

Stored cross-site scripting in Xibo CMS prior to 4.4.2 allows authenticated users with elevated DataSet privileges to chain a Stored XSS with an iframe sandbox escape via the Data Connector functionality, executing script in another user's browser context. Scope-changed impact (S:C) with high confidentiality loss means a low-privileged-but-trusted operator can compromise an admin session viewing the affected dataset content. No public exploit identified at time of analysis and the issue is not on the CISA KEV list.

Technical ContextAI

Xibo is an open-source digital signage CMS (cpe:2.3:a:xibosignage:xibo-cms) that lets operators build layouts driven by DataSets fed through Data Connectors - server-side message brokers that push content into rendered widgets. The flaw is a CWE-79 (Improper Neutralization of Input During Web Page Generation) where Data Connector messages are rendered inside a sandboxed iframe whose isolation can be broken, allowing attacker-controlled HTML/JS to reach the parent CMS origin. Because the payload is stored and triggered when other users view the dataset, the iframe sandbox - intended as the security boundary - is the root failure, turning a contained widget into a vector for cross-origin script execution against the CMS UI.

RemediationAI

Vendor-released patch: upgrade to Xibo CMS 4.4.2, which the advisory states is necessary to remediate the chain - see https://github.com/xibosignage/xibo-cms/security/advisories/GHSA-6389-j56c-9fww. For operators unable to upgrade immediately, the vendor's documented workaround is to revoke the 'Add DataSet' privilege from any user account that is not fully trusted, accepting the trade-off that legitimate operators will lose the ability to create DataSets independently of Layouts and may need an admin to provision them. Audit existing role assignments before patching to identify accounts that already held this privilege, since stored payloads inserted before remediation may persist after upgrade.

Share

CVE-2026-42558 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy