CVE-2026-42558

HIGH EPSS 1.5%
Published Jun 10, 20262w ago · Modified Jun 17, 20262w ago
7.6 CVSS 3.1
High
Find Similar
Published Jun 10, 2026 2w ago
Last Modified Jun 17, 2026 2w ago

Description

Xibo is an open source digital signage platform with a web content management system and Windows display player software. Prior to 4.4.2, a vulnerability chain consisting of Stored XSS and Iframe Sandbox escape in the Xibo CMS allows users with DataSet permissions to use the Data Connector functionality to craft messages which escape the sandbox and facilitate XSS. Exploitation of the vulnerability is possible on behalf of an authorized user who has both of the following privileges, which are not granted to non-admins as standard: Include "Add DataSet" button to allow for additional DataSets to be created independently to Layouts Users should upgrade to version 4.4.2 which fixes this issue. Upgrading to a fixed version is necessary to remediate. Users unable to upgrade should revoke such privileges from users they do not trust.

CVSS Details

Base Score
7.6
Exploitability
2.3
Impact
4.7
Vector string
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:N
Attack Vector Network
Attack Complexity Low
Privileges Required Low
User Interaction Required
Scope Changed
Confidentiality High
Integrity Low
Availability None

Threat Intelligence

EPSS Exploit Probability
1.5% percentile
Exploit & Patch Status
No Known Exploit
No Patch Available

Weaknesses 3

CWE-116
CWE-346
CWE-79 Cross-site Scripting Injection

References 1

  • github.com https://github.com/xibosignage/xibo-cms/security/advisories/GHSA-6389-j56c-9fww

Remediation

No remediation data recorded yet

Check vendor advisories and the NVD entry for patch availability.