Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
4DescriptionCVE.org
Blind Cross-Site Scripting (XSS) in Teampass, versions prior to 3.1.5.16, within the password manager login functionality in the 'contraseña' parameter of the login form 'redacted/index.php'. During failed authentication attempts, the application does not properly clean or encode the information entered by the user in the username field. As a result, arbitrary JavaScript code is automatically executed in the administrator's browser when viewing failed login entries, resulting in a blind XSS condition.
AnalysisAI
Blind Cross-Site Scripting in Teampass password manager versions prior to 3.1.5.16 allows unauthenticated remote attackers to execute arbitrary JavaScript in administrator browsers via malicious username input during failed login attempts. The vulnerability achieves high confidentiality and integrity impact (CVSS 9.3) because malicious code is stored and automatically executed when administrators review failed authentication logs, enabling potential session hijacking, credential theft, or administrative account compromise. No active exploitation confirmed via CISA KEV, though the attack requires no authentication and minimal complexity.
Technical ContextAI
Teampass is an open-source collaborative password manager built on PHP and MySQL. This vulnerability stems from improper input validation and output encoding (CWE-79) in the authentication handler at index.php. When processing failed login attempts, the application accepts arbitrary input in the 'contraseña' (password) parameter and username field without sanitization, then renders this unsanitized data in the administrative interface where login failure logs are displayed. The blind XSS nature means the payload executes in a different user context (administrator) than where it was injected (login form), making it particularly dangerous as administrators routinely review authentication logs for security monitoring. The affected CPE (cpe:2.3:a:teampass:teampass) indicates all Teampass installations below version 3.1.5.16 are vulnerable regardless of deployment configuration.
RemediationAI
Immediately upgrade Teampass to version 3.1.5.16 or later, which addresses this vulnerability along with other security issues identified by INCIBE. Download the patched version from the official Teampass repository and follow standard upgrade procedures including database backup prior to migration. Review administrator session logs and browser history for indicators of exploitation, particularly unexpected JavaScript execution or unauthorized administrative actions following authentication failure log reviews. If immediate patching is not feasible, implement Web Application Firewall rules to filter script tags and JavaScript event handlers from login form parameters, though this is an imperfect workaround. Restrict administrative interface access to trusted IP ranges and implement Content Security Policy headers to limit inline script execution. Complete advisory with additional vulnerability details available at https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-teampass.
sapi/cgi/cgi_main.c in PHP before 5.3.12 and 5.4.x before 5.4.2, when configured as a CGI script (aka php-cgi), does not
(1) boardData102.php, (2) boardData103.php, (3) boardDataJP.php, (4) boardDataNA.php, and (5) boardDataWW.php in Netgear
ProjectSend versions prior to r1720 are affected by an improper authentication vulnerability. Rated critical severity (C
Roundcube Webmail contains a critical PHP object deserialization vulnerability (CVE-2025-49113, CVSS 9.9) that allows au
Util/PHP/eval-stdin.php in PHPUnit before 4.8.28 and 5.x before 5.6.3 allows remote attackers to execute arbitrary PHP c
Palo Alto Networks PAN-OS management web interface contains an authentication bypass allowing unauthenticated attackers
Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re
Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re
The get_referers function in /opt/ws/bin/sblistpack in Sophos Web Appliance before 3.7.9.1 and 3.8 before 3.8.1.1 allows
The Backup Migration plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1
NetAlertX (formerly PiAlert) versions 23.01.14 through 24.x before 24.10.12 allow unauthenticated command injection thro
The GiveWP - Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-17345