Severity by source
AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Lifecycle Timeline
3DescriptionCVE.org
InfoScale VIOM 9.1.3 allows XSS.
AnalysisAI
Cross-site scripting in Veritas InfoScale VIOM 9.1.3 allows a low-privileged authenticated attacker to inject malicious scripts into the web application, which execute in the browser context of other users - including potentially administrators. The CVSS 3.1 score of 5.4 with Changed scope (S:C) indicates the injected payload can cross security boundaries and impact principals beyond the originating session. No public exploit code has been identified at time of analysis, and CISA SSVC assessment confirms no active exploitation.
Technical ContextAI
InfoScale VIOM (Veritas InfoScale Operations Manager, also referenced as IOM in vendor documentation) is a web-based platform for managing infrastructure and virtualization operations. The vulnerability is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation - Cross-Site Scripting), indicating that user-controlled input is insufficiently sanitized before being rendered in the web interface. Decomposing the CVSS vector AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N: the network attack vector and low complexity confirm the interface is reachable without local access; PR:L confirms a valid low-privileged account is required; UI:R and S:C together are the defining characteristic - the injected script executes in a different user's browser security context, consistent with stored or reflected XSS targeting higher-privileged users. The CPE data provided (cpe:2.3:a:n/a:n/a:*:*:*:*:*:*:*:*) is non-specific and contributes no additional platform or version granularity beyond the CVE description itself.
RemediationAI
The primary remediation is to apply the vendor-released security update detailed in the InfoScale Operations Manager security bulletin addressing CVE-2026-44923, CVE-2026-44924, and CVE-2026-44925, available at https://supportinfoscale.cloud.com/support-home/kbsearch/article?articleNumber=1000766080 and the associated technical document at https://www.veritas.com/support/en_US/doc/120571566-166757640-0/viom_tot_v118836641-166757640. An exact fixed version number is not confirmed from the supplied intelligence data - administrators must consult the vendor bulletin directly to identify the target upgrade version before patching. As a compensating control pending patching, restrict access to the InfoScale VIOM web interface to trusted internal network segments using firewall rules or VPN controls, reducing the pool of potential attackers who could authenticate with low-privileged accounts. Additionally, enforcing strict Content Security Policy (CSP) headers at a reverse proxy layer can limit the execution scope of injected scripts; however, CSP changes require thorough application testing as misconfigured policies may break legitimate VIOM functionality.
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-31128
GHSA-m936-grmc-mmqq