Skip to main content

Nightwolf Penetration Testing Platform CVE-2026-6179

| EUVDEUVD-2026-21781 MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2026-04-13 FSOFT GHSA-v8fj-r7vv-gv6q
6.3
CVSS 4.0 · Vendor: FSOFT
Share

Severity by source

Vendor (FSOFT) PRIMARY
6.3 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:H/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from Vendor (FSOFT) · only source for this CVE.

CVSS VectorVendor: FSOFT

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:H/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

5
Analysis Generated
Apr 13, 2026 - 04:51 vuln.today
CVSS changed
Apr 13, 2026 - 03:22 NVD
6.3 (MEDIUM)
EUVD ID Assigned
Apr 13, 2026 - 02:45 euvd
EUVD-2026-21781
Analysis Generated
Apr 13, 2026 - 02:45 vuln.today
CVE Published
Apr 13, 2026 - 02:27 nvd
MEDIUM 6.3

DescriptionCVE.org

Stored Cross Site Scripting in NightWolf Penetration Testing Platform allows attack trigger and run malicious script in user's browser

AnalysisAI

Stored cross-site scripting (XSS) in NightWolf Penetration Testing Platform 2.1.5 allows authenticated users to inject malicious scripts that execute in other users' browsers, potentially leading to session hijacking, credential theft, or unauthorized actions performed on behalf of victims. The vulnerability requires user interaction is absent from the CVSS vector (UI:N), meaning the injected payload executes automatically when a victim views affected content. No public exploit code or active exploitation has been confirmed at the time of analysis.

Technical ContextAI

This vulnerability exploits improper input validation and output encoding in a web application framework, classified under CWE-79 (Improper Neutralization of Input During Web Page Generation). The NightWolf Penetration Testing Platform (CPE: cpe:2.3:a:fpt_software:nightwolf_penetration_testing_platform) fails to sanitize user-supplied input before storing it in a backend database and subsequently rendering it in HTML responses. When other authenticated users access pages containing the malicious payload, the browser executes the injected JavaScript in the security context of the vulnerable application, bypassing same-origin policy protections because the payload originates from a trusted domain.

RemediationAI

Patch availability has not been independently confirmed from the provided data; however, users should immediately check the vendor's changelog at https://bug.report.night-wolf.io/changelogs for available updates beyond version 2.1.5. As a temporary mitigation, restrict platform access to trusted networks using network-level controls and disable features that allow user-generated content if possible. Implement Content Security Policy (CSP) headers to restrict inline script execution. Organizations should coordinate with FPT Software to obtain a patched version as soon as it becomes available and follow any interim security hardening guidance provided in the advisory.

Share

CVE-2026-6179 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy