CVE-2026-3107
Received Received - Intake
Stored XSS in Teampass Password Import Enables Credential Theft

Publication date: 2026-03-31

Last updated on: 2026-04-07

Assigner: Spanish National Cybersecurity Institute, S.A. (INCIBE)

Description
Stored Cross-Site Scripting (XSS) in Teampass versions prior to 3.1.5.16, affecting the password manager's password import functionality at the endpoint 'redacted/index.php?page=items'. The application fails to properly sanitize and encode user-input data during the import process, allowing malicious JavaScript payloads to be persistently stored in the database. When other users view the imported passwords, the payload is automatically executed in their browsers, resulting in a stored XSS condition at the endpoint 'redacted/index.php?page=items'. Exploiting this vulnerability allows an attacker to execute arbitrary JavaScript code in the context of multiple users and the administrator, which can lead to session hijacking, credential theft, privilege abuse, and compromise of application integrity.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-31
Last Modified
2026-04-07
Generated
2026-06-16
AI Q&A
2026-03-31
EPSS Evaluated
2026-06-15
NVD
CVE-2026-3107
EUVD
EUVD-2026-17347
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
teampass teampass From 3.1.5.16 (inc) to 3.1.5.24 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability is a Stored Cross-Site Scripting (XSS) issue found in Teampass versions prior to 3.1.5.16. It occurs in the password import functionality at a specific endpoint. The application does not properly sanitize or encode user input during the import process, allowing malicious JavaScript code to be stored persistently in the database.

When other users view the imported passwords, the malicious script executes automatically in their browsers. This stored XSS enables attackers to run arbitrary JavaScript in the context of multiple users and administrators.

Compliance Impact

The vulnerability allows attackers to execute arbitrary JavaScript code in the context of multiple users and administrators, potentially leading to session hijacking, credential theft, privilege abuse, and compromise of application integrity.

Such security breaches can result in unauthorized access to sensitive data, which may violate data protection requirements under regulations like GDPR and HIPAA that mandate the protection of personal and health information.

Therefore, this vulnerability could negatively impact compliance with these standards by exposing sensitive user credentials and compromising the confidentiality and integrity of stored data.

Impact Analysis

Exploiting this vulnerability can lead to serious security impacts including session hijacking, credential theft, privilege abuse, and compromise of the application's integrity.

  • Attackers can execute arbitrary JavaScript code in users' browsers.
  • Attackers may steal user credentials or hijack sessions.
  • Attackers can abuse privileges and compromise the application.
Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-3107. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart