CVE-2026-4794
Authenticated Admin XSS Vulnerabilities in PaperCut NG/MF Before
Publication date: 2026-03-31
Last updated on: 2026-04-03
Assigner: PaperCut
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| papercut | papercut_mf | to 25.0.10 (exc) |
| papercut | papercut_ng | to 25.0.10 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
CVE-2026-4794 involves multiple cross-site scripting (XSS) vulnerabilities in PaperCut NG/MF that allow authenticated administrator users to inject arbitrary web scripts or HTML code. This could lead to compromise of administrator sessions or unauthorized actions within the administrative context.
Such vulnerabilities can impact compliance with common standards and regulations like GDPR and HIPAA because they may lead to unauthorized access or manipulation of sensitive data or administrative controls. Ensuring secure administrative access and preventing session compromise are critical for maintaining data confidentiality and integrity required by these regulations.
The security bulletin for PaperCut NG/MF emphasizes security best practices, including enforcing HTTPS, TLS protocols, session timeout settings, and restricting server access, which are important controls to mitigate risks from vulnerabilities like CVE-2026-4794 and support compliance efforts.
Can you explain this vulnerability to me?
CVE-2026-4794 describes multiple cross-site scripting (XSS) vulnerabilities in PaperCut NG/MF versions before 25.0.10. These vulnerabilities allow authenticated administrator users to inject arbitrary web script or HTML code through various user interface fields.
This means that an attacker with administrator access can insert malicious scripts that could execute in the context of other administrators' sessions.
Exploitation requires an active login session and authenticated administrator privileges.
How can this vulnerability impact me? :
The vulnerability can be used to compromise other administrator sessions by executing injected scripts, potentially allowing unauthorized actions within the administrator's authenticated context.
This could lead to unauthorized changes in the print management system, manipulation of configurations, or other administrative functions that require elevated privileges.
What immediate steps should I take to mitigate this vulnerability?
To mitigate the multiple cross-site scripting (XSS) vulnerabilities in PaperCut NG/MF before version 25.0.10, it is important to follow security best practices as outlined in the official security bulletin.
- Upgrade PaperCut NG/MF to version 25.0.10 or later where the vulnerabilities are fixed.
- Enforce HTTPS communication to secure data in transit.
- Configure and enforce CSRF validation to prevent unauthorized commands.
- Set appropriate session timeout settings to reduce risk of session hijacking.
- Restrict server access to trusted administrators only.
- Review and limit administrator user permissions to reduce attack surface.