Skip to main content

Microsoft EUVDEUVD-2026-16575

| CVE-2026-3457 HIGH
Cross-site Scripting (XSS) (CWE-79)
2026-03-27 THA-PSIRT
7.0
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
7.0 HIGH
CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:L/VI:H/VA:N/SC:L/SI:H/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:L/VI:H/VA:N/SC:L/SI:H/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Local
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

6
Analysis Updated
Apr 16, 2026 - 06:12 EUVD-patch-fix
executive_summary
Re-analysis Queued
Apr 16, 2026 - 05:29 backfill_euvd_patch
patch_released
Patch available
Apr 16, 2026 - 05:29 EUVD
10.22
EUVD ID Assigned
Mar 27, 2026 - 09:15 euvd
EUVD-2026-16575
Analysis Generated
Mar 27, 2026 - 09:15 vuln.today
CVE Published
Mar 27, 2026 - 09:05 nvd
HIGH 7.0

DescriptionCVE.org

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Thales Sentinel LDK Runtime on Windows allows Stored XSS.This issue affects Sentinel LDK Runtime: before 10.22.

AnalysisAI

Stored cross-site scripting in Thales Sentinel LDK Runtime on Windows allows attackers with local access to inject malicious scripts that execute with high integrity impact. All versions before 10.22 are affected. The CVSS 4.0 base score of 7.0 reflects local attack vector with no privileges required and no user interaction. Proof-of-concept exploit code exists (CVSS:4.0 E:P). CISA KEV does not list this vulnerability as actively exploited at time of analysis.

Technical ContextAI

This vulnerability affects the Sentinel LDK Runtime (cpe:2.3:a:thales:sentinel_ldk_runtime:*:*:*:*:*:*:*:*), a software licensing solution from Thales that provides digital rights management and software protection capabilities on Windows platforms. The root cause is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation). Unlike reflected XSS, this stored variant allows persistent malicious scripts to be embedded in the application's data layer, which are then rendered to victims during normal application usage. The local attack vector (AV:L) indicates the attacker requires local system access to inject the payload, though the high integrity impact (VI:H) and supplemental integrity impact (SI:H) suggest significant potential for privilege escalation or system compromise once the payload executes.

RemediationAI

Upgrade Thales Sentinel LDK Runtime to version 10.22 or later to address this vulnerability. The vendor advisory containing patch details is available at https://supportportal.thalesgroup.com/csm?id=kb_article_view&sys_kb_id=5c18186b478aa950128dca72e36d4391&sysparm_article=KB0027106. Organizations unable to immediately patch should implement compensating controls including restricting local system access to trusted users only, monitoring for suspicious script injection attempts in LDK-related data stores, and implementing application-level content security policies where feasible. Given the local attack vector requirement, enforcing strict physical and logical access controls to systems running Sentinel LDK Runtime provides interim risk reduction until patching is completed.

Share

EUVD-2026-16575 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy