Skip to main content

MyComplianceOffice MCO EUVDEUVD-2026-40953

| CVE-2026-53907 MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2026-07-01 CERT-PL GHSA-r38x-66p9-p239
4.8
CVSS 4.0 · Vendor: CERT-PL
Share

Severity by source

Vendor (CERT-PL) PRIMARY
4.8 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:L/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
4.8 MEDIUM

PR:H reflects required logo-upload privilege; S:C because XSS crosses into victim browser scope; C:L/I:L captures limited client-side session and content impact; no availability impact applies.

3.1 AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
4.0 AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:L/VA:N/SC:L/SI:L/SA:N

Primary rating from Vendor (CERT-PL).

CVSS VectorVendor: CERT-PL

CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:L/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
P
Scope
X

Lifecycle Timeline

2
Analysis Generated
Jul 01, 2026 - 13:22 vuln.today
CVE Published
Jul 01, 2026 - 11:58 cve.org
MEDIUM 4.8

DescriptionCVE.org

MCO is vulnerable to Stored Cross‑Site Scripting (XSS) via the application logo upload functionality. An attacker with the ability to change the application logo can upload a crafted SVG file containing malicious JavaScript code that is executed when the logo is rendered or opened.

Because vendor contact attempts were unsuccessful, the vulnerability has only been confirmed in version 25.3.3.1 but may also affect other versions.

AnalysisAI

Stored XSS in MyComplianceOffice MCO version 25.3.3.1 allows a privileged attacker with logo-upload rights to plant malicious JavaScript inside a crafted SVG file that executes in any user's browser when the application logo is rendered. Reported by CERT-PL, vendor contact was unsuccessful, leaving no official patch or advisory in place. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain MCO account with logo-upload privilege
Delivery
Craft SVG embedding JavaScript payload
Exploit
Upload malicious SVG as application logo
Execution
Victim user navigates to page rendering the logo
Persist
Malicious script executes in victim's browser
Impact
Harvest session token or perform authenticated actions as victim

Vulnerability AssessmentAI

Exploitation The attacker must hold an MCO account with privileges sufficient to change the application logo, corresponding to PR:H in the CVSS 4.0 vector - this is the explicit and concrete prerequisite stated in the CVE description. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 4.0 score of 4.8 (Medium) accurately captures several significant risk-limiting factors: PR:H (high privilege is required to access the logo upload function), UI:P (a victim must passively encounter the rendered logo), and bounded impact metrics (VI:L, SC:L, SI:L - no server-side confidentiality exposure). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker holding an MCO account with logo-management privileges crafts an SVG file embedding a JavaScript payload - for example, a script that exfiltrates the document cookie to an attacker-controlled endpoint - and uploads it as the application logo via the standard UI. Subsequently, any MCO user (including higher-privileged administrators) who loads a page rendering that logo triggers script execution in their own browser context, allowing the attacker to capture session tokens and perform authenticated actions on the victim's behalf. …
Remediation No vendor-released patch has been identified at time of analysis - CERT-PL's vendor contact attempts were unsuccessful and no fix version has been disclosed. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-40953 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy