Skip to main content

Bynder EUVDEUVD-2026-19273

| CVE-2026-31153 MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2026-04-06 mitre GHSA-vwwm-jm2x-63pj
5.4
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.4 MEDIUM
AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

3
EUVD ID Assigned
Apr 06, 2026 - 15:00 euvd
EUVD-2026-19273
Analysis Generated
Apr 06, 2026 - 15:00 vuln.today
CVE Published
Apr 06, 2026 - 00:00 nvd
MEDIUM 5.4

DescriptionCVE.org

A stored cross-site scripting (XSS) vulnerability in Bynder v0.1.394 allows attackers to execute arbitrary web scripts or HTML via a crafted payload.

AnalysisAI

Stored cross-site scripting (XSS) in Bynder v0.1.394 allows authenticated attackers to inject and execute arbitrary web scripts or HTML through a crafted payload, affecting users who interact with malicious content. The vulnerability requires user interaction (UI:R) and authenticated access (PR:L), limiting immediate mass exploitation but posing a risk to collaborative environments where users trust stored content. No public exploit has been confirmed as actively exploited per CISA records, and EPSS/KEV status indicates lower real-world exploitation probability despite the stored XSS vector.

Technical ContextAI

Stored XSS vulnerabilities (CWE-79) occur when untrusted user input is persisted in a database or backend storage without proper sanitization or encoding, then reflected to other users via the application interface. In Bynder v0.1.394, the affected component fails to sanitize crafted payloads during storage, allowing an authenticated attacker to inject malicious HTML or JavaScript. When the stored content is rendered in another user's browser context, the injected script executes with the privileges of that user's session. The CPE data provided (n/a:n/a) suggests limited vendor-specific tracking, though Bynder's primary website and the referenced GitHub CVE repository (Henkel-CyberVM/CVEs) serve as disclosure sources. This attack differs from reflected XSS in that the payload persists and affects all users accessing the compromised content, not just those clicking a malicious link.

RemediationAI

Upgrade Bynder to a patched version beyond v0.1.394; the vendor advisory at https://www.bynder.com/en/ and NVD detail page at https://nvd.nist.gov/vuln/detail/CVE-2026-31153 should specify the minimum safe version. If a specific patched release is not yet available, implement input validation and output encoding on all user-controlled fields that are stored and later rendered, ensuring HTML/JavaScript sanitization using an allowlist-based approach (e.g., via OWASP DOMPurify or equivalent). Validate and sanitize payloads server-side before storage, and apply context-appropriate encoding (HTML entity encoding) when rendering stored content in the user interface. Review any stored content created by untrusted users and remove or sanitize known malicious payloads. The GitHub repository at https://github.com/Henkel-CyberVM/CVEs/tree/main/CVE-2026-31153 may provide additional technical details or proof-of-concept references for validation purposes.

Share

EUVD-2026-19273 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy