CVE-2026-29969
Analyzed Analyzed - Analysis Complete
Cross-Site Scripting in Staffwiki wff_cols_pref.css.aspx Endpoint

Publication date: 2026-03-26

Last updated on: 2026-05-07

Assigner: MITRE

Description
A cross-site scripting (XSS) vulnerability in the wff_cols_pref.css.aspx endpoint of staffwiki v7.0.1.19219 allows attackers to execute arbitrary Javascript in the context of the user's browser via a crafted HTTP request.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-26
Last Modified
2026-05-07
Generated
2026-06-16
AI Q&A
2026-03-26
EPSS Evaluated
2026-06-15
NVD
CVE-2026-29969
EUVD
EUVD-2026-16299
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
workflowfirst staffwiki 7.0.1.19219
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-29969 is a reflected Cross-Site Scripting (XSS) vulnerability found in the wff_cols_pref.css.aspx endpoint of staffwiki version 7.0.1.19219.

This vulnerability occurs because user-supplied input embedded within the URL path filename is returned unsanitized in the HTTP response, allowing attackers to inject arbitrary JavaScript.

An attacker can craft a malicious HTTP request containing encoded JavaScript that executes within the context of the user's browser when they interact with the affected endpoint.

Some characters require encoding to bypass input validation controls, but simple payloads can execute directly.

This enables execution of attacker-controlled scripts, potentially compromising the user's session or data.

Impact Analysis

This vulnerability allows attackers to execute arbitrary JavaScript code in the context of a user's browser when they visit the vulnerable endpoint.

  • Stealing user session cookies or authentication tokens.
  • Performing actions on behalf of the user without their consent.
  • Redirecting users to malicious websites.
  • Injecting malicious content or defacing the website.

Overall, this can lead to compromised user accounts, data theft, and loss of trust in the affected application.

Detection Guidance

This vulnerability can be detected by sending crafted HTTP requests to the wff_cols_pref.css.aspx endpoint of staffwiki v7.0.1.19219 and observing if arbitrary JavaScript is executed or reflected unsanitized in the HTTP response.

A practical approach is to use tools like curl or a web proxy to send requests with encoded JavaScript payloads in the URL path filename and check the response for unsanitized script injection.

  • Example curl command to test the vulnerability: curl -i "http://target/wff_cols_pref.css.aspx/%3Cscript%3Ealert('XSS')%3C/script%3E"
  • Use a web proxy or browser developer tools to inspect the HTTP response for reflected script tags or JavaScript code.
Mitigation Strategies

The recommended immediate mitigation is to upgrade staffwiki to the forthcoming patched version (vPENDING) once it becomes available.

Until the patch is available, consider implementing web application firewall (WAF) rules to block requests containing suspicious or encoded JavaScript payloads targeting the wff_cols_pref.css.aspx endpoint.

Additionally, restrict access to the vulnerable endpoint if possible and monitor logs for suspicious requests attempting to exploit this XSS vulnerability.

Compliance Impact

The provided information does not specify how the cross-site scripting (XSS) vulnerability in staffwiki v7.0.1.19219 impacts compliance with common standards and regulations such as GDPR or HIPAA.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-29969. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart