Skip to main content

Vinna Process Monitor EUVDEUVD-2026-35390

| CVE-2026-41031 CRITICAL
Cross-site Scripting (XSS) (CWE-79)
2026-06-09 CERTVDE GHSA-9cvc-ww9r-ffmh
9.3
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
9.3 CRITICAL
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:N/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:N/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
P
Scope
X

Lifecycle Timeline

4
Patch available
Jun 09, 2026 - 11:01 EUVD
Analysis Generated
Jun 09, 2026 - 10:35 vuln.today
Severity Changed
Jun 09, 2026 - 10:22 NVD
HIGH CRITICAL
CVSS changed
Jun 09, 2026 - 10:22 NVD
8.7 (HIGH) 9.3 (CRITICAL)

DescriptionCVE.org

A Stored Cross-Site Scripting vulnerability in Vinna Process Monitor Version 4.0 Service Pack 1 (Build 63255) allows an authenticated remote attacker with low privileges to inject malicious JavaScript code into the application. This enables attackers to steal administrative access tokens and session credentials.

AnalysisAI

Stored cross-site scripting in Vinna Process Monitor 4.0 Service Pack 1 (Build 63255) allows authenticated low-privilege users to inject persistent JavaScript that executes in other users' browsers, enabling theft of administrative session tokens and credentials. The CVSS 4.0 score of 9.3 reflects the cross-scope impact whereby a low-privileged attacker can escalate to administrative control. No public exploit identified at time of analysis, and the vulnerability is not listed in CISA KEV.

Technical ContextAI

The affected product is Skilja GmbH's Vinna Process Monitor, a business process monitoring application identified by CPE cpe:2.3:a:skilja_gmbh:vinna_process_monitor:*:*:*:*:*:*:*:*. The root cause is CWE-79 (Improper Neutralization of Input During Web Page Generation), a classic stored XSS pattern where user-supplied input is persisted server-side and later rendered in administrative or other users' browsers without proper output encoding or sanitization. Because the injected payload is stored, it executes whenever a privileged user views the affected interface, allowing the attacker's JavaScript to run within the victim's authenticated session context and access session tokens.

RemediationAI

Patch available per vendor advisory; consult the Skilja security advisory at https://partner.skilja.com/uncategorized/security-advisory-stored-xss-in-vinna-process-monitor-cve-2026-41031/ for the specific fixed build, as no exact fix version is included in the available intelligence data. Until the patched build is deployed, restrict access to the Process Monitor web interface to trusted network segments via firewall or VPN, audit and minimize the number of low-privilege accounts that can submit data persisted to administrative views, and apply a strict Content Security Policy that disallows inline script execution (note this may break legitimate UI features and requires testing). Administrators should also rotate session tokens and review audit logs for unexpected privileged actions following discovery.

Share

EUVD-2026-35390 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy