Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:H/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from Vendor (FSOFT) · only source for this CVE.
CVSS VectorVendor: FSOFT
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:H/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
5DescriptionCVE.org
Stored Cross Site Scripting in NightWolf Penetration Testing Platform allows attack trigger and run malicious script in user's browser
AnalysisAI
Stored cross-site scripting (XSS) in NightWolf Penetration Testing Platform 2.1.5 allows authenticated users to inject malicious scripts that execute in other users' browsers, potentially leading to session hijacking, credential theft, or unauthorized actions performed on behalf of victims. The vulnerability requires user interaction is absent from the CVSS vector (UI:N), meaning the injected payload executes automatically when a victim views affected content. No public exploit code or active exploitation has been confirmed at the time of analysis.
Technical ContextAI
This vulnerability exploits improper input validation and output encoding in a web application framework, classified under CWE-79 (Improper Neutralization of Input During Web Page Generation). The NightWolf Penetration Testing Platform (CPE: cpe:2.3:a:fpt_software:nightwolf_penetration_testing_platform) fails to sanitize user-supplied input before storing it in a backend database and subsequently rendering it in HTML responses. When other authenticated users access pages containing the malicious payload, the browser executes the injected JavaScript in the security context of the vulnerable application, bypassing same-origin policy protections because the payload originates from a trusted domain.
RemediationAI
Patch availability has not been independently confirmed from the provided data; however, users should immediately check the vendor's changelog at https://bug.report.night-wolf.io/changelogs for available updates beyond version 2.1.5. As a temporary mitigation, restrict platform access to trusted networks using network-level controls and disable features that allow user-generated content if possible. Implement Content Security Policy (CSP) headers to restrict inline script execution. Organizations should coordinate with FPT Software to obtain a patched version as soon as it becomes available and follow any interim security hardening guidance provided in the advisory.
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-21781
GHSA-v8fj-r7vv-gv6q