Severity by source
CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
4DescriptionCVE.org
Multiple cross-site scripting (XSS) vulnerabilities in PaperCut NG/MF before 25.0.10 allow authenticated administrator users to inject arbitrary web script or HTML code via different UI fields. This could be used to compromise other admininistrator's sessions or perform unauthorized actions via the administrator's authenticated context (e.g. requires an active login session).
AnalysisAI
Stored cross-site scripting (XSS) vulnerabilities in PaperCut NG/MF versions before 25.0.10 allow authenticated administrator users to inject malicious scripts via multiple UI fields, potentially compromising other administrators' sessions and enabling unauthorized actions within the administrator context. The vulnerability requires valid administrator credentials and an active login session to exploit, limiting exposure to trusted administrative users but creating significant insider risk.
Technical ContextAI
The vulnerability stems from insufficient input validation and output encoding in PaperCut NG/MF's web-based administrative interface (CWE-79: Improper Neutralization of Input During Web Page Generation). Multiple UI fields fail to properly sanitize user-supplied input before reflecting or storing it in HTML responses. When an authenticated administrator submits crafted payloads through these fields, the application processes and renders them without adequate escaping, allowing arbitrary JavaScript execution in the browsers of other administrators who access the same UI components. This is a stored XSS variant, meaning the malicious payload persists in the application state and affects multiple users, not just the initial attacker.
RemediationAI
Vendor-released patch: upgrade to PaperCut NG/MF version 25.0.10 or later. This is the only confirmed remediation. Organizations unable to immediately patch should restrict administrative UI access to trusted networks only, limit the number of active administrator accounts, and monitor administrator session activity for suspicious behavior. Refer to the official PaperCut security bulletin at https://www.papercut.com/kb/Main/papercut-ng-mf-security-bulletin-march-2026/ for detailed upgrade instructions and any additional mitigation guidance.
More in Papercut Ng Mf
View allPaperCut MF version 25.0.4 allows authenticated administrators to read arbitrary files on the server through insufficien
PaperCut NG/MF embedded application on Konica Minolta multifunction devices transmits sensitive session data over an ins
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-17271