Skip to main content

Ragic Enterprise Cloud Database EUVDEUVD-2026-43270

| CVE-2026-15552 MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2026-07-13 twcert GHSA-gv5r-m2vf-6q47
5.3
CVSS 4.0 · Vendor: twcert
Share

Severity by source

Vendor (twcert) PRIMARY
5.3 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
6.1 MEDIUM

Network-reachable, no privileges required, stored payload triggers on victim page load (UI:R), scope changes to victim browser with session/content impact (C:L/I:L).

3.1 AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
4.0 AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N

Primary rating from Vendor (twcert).

CVSS VectorVendor: twcert

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
P
Scope
X

Lifecycle Timeline

1
Analysis Generated
Jul 13, 2026 - 04:25 vuln.today

DescriptionCVE.org

Enterprise Cloud Database developed by Ragic has a Stored Cross-Site Scripting vulnerability, allowing unauthenticated remote attackers to inject persistent JavaScript code executed in users' browsers upon page load.

AnalysisAI

Stored XSS in Ragic Enterprise Cloud Database permits unauthenticated remote attackers to inject persistent JavaScript into application data, which then executes in the browsers of any user who loads the affected page. Because the payload is stored server-side, a single injection event affects all subsequent visitors without further attacker interaction. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Submit unauthenticated crafted input
Delivery
Malicious JS stored in database
Exploit
Victim loads affected page
Execution
Injected script executes in browser
Impact
Steal session token or manipulate UI

Vulnerability AssessmentAI

Exploitation Exploitation requires network access to the Ragic Enterprise Cloud Database application and the ability to submit input to a field or form that is subsequently rendered to other users without proper output encoding. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 4.0 base score of 5.3 (Medium) captures the constrained subsequent-system impact (SC:L/SI:L) - session hijacking and page content manipulation - but no direct impact on the vulnerable system itself (VC:N/VI:N/VA:N). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An unauthenticated attacker submits a crafted form entry or database record containing a malicious JavaScript payload - for example, a script that exfiltrates session cookies to an attacker-controlled endpoint - into a publicly accessible input field in the Ragic application. The payload is stored in the database. …
Remediation The primary remediation is to apply any patch or configuration update issued by Ragic as referenced in the TWCERT advisories at https://www.twcert.org.tw/tw/cp-132-11031-eccb2-1.html and https://www.twcert.org.tw/en/cp-139-11032-460c2-2.html - no specific fixed version number was disclosed in the available intelligence, so consult the vendor directly to confirm the patched release. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-43270 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy