CVE-2026-4165
Awaiting Analysis Awaiting Analysis - Queue
Cross-Site Scripting in Worksuite /account/orders/create Function

Publication date: 2026-03-16

Last updated on: 2026-04-29

Assigner: VulDB

Description
A vulnerability has been found in Worksuite HR, CRM and Project Management up to 5.5.25. The affected element is an unknown function of the file /account/orders/create. The manipulation of the argument Client Note leads to cross site scripting. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-16
Last Modified
2026-04-29
Generated
2026-06-16
AI Q&A
2026-03-16
EPSS Evaluated
2026-06-15
NVD
CVE-2026-4165
EUVD
EUVD-2026-12207
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
worksuite hr_crm_and_project_management to 5.5.25 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
CWE-94 The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-4165 is a stored cross-site scripting (XSS) vulnerability found in Worksuite HR, CRM, and Project Management software versions up to 5.5.25. It exists in the order creation functionality at the endpoint /account/orders/create, specifically involving the Client Note parameter.

The vulnerability arises because user input in the Client Note field is not properly sanitized or encoded, allowing an attacker to inject malicious HTML5 and JavaScript code. When an administrator or other users view the order containing the malicious payload, the script executes automatically without requiring any interaction.

Exploitation requires the attacker to have order creation permissions and involves submitting a crafted payload that triggers JavaScript execution when viewed. This vulnerability is classified under CWE-79 (Improper Neutralization of Input During Web Page Generation) and corresponds to MITRE ATT&CK technique T1059.007.

Impact Analysis

This vulnerability can have several impacts including session hijacking, phishing, and unauthorized actions.

  • Attackers can steal administrator cookies, allowing them to hijack sessions.
  • Phishing attacks can be conducted by altering page content to deceive users.
  • Attackers may perform unauthorized actions on behalf of victims, such as creating fake administrators or deleting data.
Compliance Impact

I don't know

Detection Guidance

This vulnerability can be detected by testing the order creation functionality, specifically the Client Note field in the /account/orders/create endpoint, for improper sanitization of input that allows injection of malicious scripts.

A practical detection method involves attempting to inject a known XSS payload such as <details open ontoggle=prompt(origin)> into the Client Note field while logged in as a user with order creation permissions, then observing if the payload executes when the order is viewed by an administrator.

There are no specific network commands provided, but manual testing or automated web application scanners that test for stored XSS vulnerabilities on the Client Note parameter at the /account/orders/create endpoint can be used.

Mitigation Strategies

[{'type': 'paragraph', 'content': 'Immediate mitigation steps include implementing strict input sanitization on the Client Note field to allow only safe characters or stripping all HTML tags if they are not required.'}, {'type': 'paragraph', 'content': 'Apply contextual output encoding to convert special characters into HTML entities to prevent script execution.'}, {'type': 'paragraph', 'content': "Enforce a robust Content Security Policy (CSP) that blocks inline scripts and event handlers, for example by disallowing 'unsafe-inline' scripts."}, {'type': 'paragraph', 'content': 'If possible, consider replacing the affected product with an alternative that is not vulnerable.'}] [1, 2]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-4165. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart