Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:N/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:N/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
4DescriptionCVE.org
A Stored Cross-Site Scripting vulnerability in Vinna Process Monitor Version 4.0 Service Pack 1 (Build 63255) allows an authenticated remote attacker with low privileges to inject malicious JavaScript code into the application. This enables attackers to steal administrative access tokens and session credentials.
AnalysisAI
Stored cross-site scripting in Vinna Process Monitor 4.0 Service Pack 1 (Build 63255) allows authenticated low-privilege users to inject persistent JavaScript that executes in other users' browsers, enabling theft of administrative session tokens and credentials. The CVSS 4.0 score of 9.3 reflects the cross-scope impact whereby a low-privileged attacker can escalate to administrative control. No public exploit identified at time of analysis, and the vulnerability is not listed in CISA KEV.
Technical ContextAI
The affected product is Skilja GmbH's Vinna Process Monitor, a business process monitoring application identified by CPE cpe:2.3:a:skilja_gmbh:vinna_process_monitor:*:*:*:*:*:*:*:*. The root cause is CWE-79 (Improper Neutralization of Input During Web Page Generation), a classic stored XSS pattern where user-supplied input is persisted server-side and later rendered in administrative or other users' browsers without proper output encoding or sanitization. Because the injected payload is stored, it executes whenever a privileged user views the affected interface, allowing the attacker's JavaScript to run within the victim's authenticated session context and access session tokens.
RemediationAI
Patch available per vendor advisory; consult the Skilja security advisory at https://partner.skilja.com/uncategorized/security-advisory-stored-xss-in-vinna-process-monitor-cve-2026-41031/ for the specific fixed build, as no exact fix version is included in the available intelligence data. Until the patched build is deployed, restrict access to the Process Monitor web interface to trusted network segments via firewall or VPN, audit and minimize the number of low-privilege accounts that can submit data persisted to administrative views, and apply a strict Content Security Policy that disallows inline script execution (note this may break legitimate UI features and requires testing). Administrators should also rotate session tokens and review audit logs for unexpected privileged actions following discovery.
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-35390
GHSA-9cvc-ww9r-ffmh