Skip to main content

Papercut Ng Mf CVE-2026-4794

| EUVDEUVD-2026-17271 LOW
Cross-site Scripting (XSS) (CWE-79)
2026-03-31 PaperCut
2.1
CVSS 4.0 · NVD

Severity by source

NVD PRIMARY
2.1 LOW
CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
P
Scope
X

Lifecycle Timeline

4
Patch available
Apr 16, 2026 - 05:29 EUVD
25.0.10
EUVD ID Assigned
Mar 31, 2026 - 01:00 euvd
EUVD-2026-17271
Analysis Generated
Mar 31, 2026 - 01:00 vuln.today
CVE Published
Mar 31, 2026 - 00:39 nvd
LOW 2.1

DescriptionCVE.org

Multiple cross-site scripting (XSS) vulnerabilities in PaperCut NG/MF before 25.0.10 allow authenticated administrator users to inject arbitrary web script or HTML code via different UI fields. This could be used to compromise other admininistrator's sessions or perform unauthorized actions via the administrator's authenticated context (e.g. requires an active login session).

AnalysisAI

Stored cross-site scripting (XSS) vulnerabilities in PaperCut NG/MF versions before 25.0.10 allow authenticated administrator users to inject malicious scripts via multiple UI fields, potentially compromising other administrators' sessions and enabling unauthorized actions within the administrator context. The vulnerability requires valid administrator credentials and an active login session to exploit, limiting exposure to trusted administrative users but creating significant insider risk.

Technical ContextAI

The vulnerability stems from insufficient input validation and output encoding in PaperCut NG/MF's web-based administrative interface (CWE-79: Improper Neutralization of Input During Web Page Generation). Multiple UI fields fail to properly sanitize user-supplied input before reflecting or storing it in HTML responses. When an authenticated administrator submits crafted payloads through these fields, the application processes and renders them without adequate escaping, allowing arbitrary JavaScript execution in the browsers of other administrators who access the same UI components. This is a stored XSS variant, meaning the malicious payload persists in the application state and affects multiple users, not just the initial attacker.

RemediationAI

Vendor-released patch: upgrade to PaperCut NG/MF version 25.0.10 or later. This is the only confirmed remediation. Organizations unable to immediately patch should restrict administrative UI access to trusted networks only, limit the number of active administrator accounts, and monitor administrator session activity for suspicious behavior. Refer to the official PaperCut security bulletin at https://www.papercut.com/kb/Main/papercut-ng-mf-security-bulletin-march-2026/ for detailed upgrade instructions and any additional mitigation guidance.

Share

CVE-2026-4794 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy