CVE-2026-4794
Received Received - Intake
Authenticated Admin XSS Vulnerabilities in PaperCut NG/MF Before

Publication date: 2026-03-31

Last updated on: 2026-04-03

Assigner: PaperCut

Description
Multiple cross-site scripting (XSS) vulnerabilities in PaperCut NG/MF before 25.0.10Β allow authenticated administrator users to inject arbitrary web script or HTML code via different UI fields. This could be used to compromise other admininistrator's sessions or perform unauthorized actions via the administrator's authenticated context (e.g. requires an active login session).
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-31
Last Modified
2026-04-03
Generated
2026-06-16
AI Q&A
2026-03-31
EPSS Evaluated
2026-06-15
NVD
CVE-2026-4794
EUVD
EUVD-2026-17271
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
papercut papercut_mf to 25.0.10 (exc)
papercut papercut_ng to 25.0.10 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-4794 describes multiple cross-site scripting (XSS) vulnerabilities in PaperCut NG/MF versions before 25.0.10. These vulnerabilities allow authenticated administrator users to inject arbitrary web script or HTML code through various user interface fields.

This means that an attacker with administrator access can insert malicious scripts that could execute in the context of other administrators' sessions.

Exploitation requires an active login session and authenticated administrator privileges.

Impact Analysis

The vulnerability can be used to compromise other administrator sessions by executing injected scripts, potentially allowing unauthorized actions within the administrator's authenticated context.

This could lead to unauthorized changes in the print management system, manipulation of configurations, or other administrative functions that require elevated privileges.

Mitigation Strategies

To mitigate the multiple cross-site scripting (XSS) vulnerabilities in PaperCut NG/MF before version 25.0.10, it is important to follow security best practices as outlined in the official security bulletin.

  • Upgrade PaperCut NG/MF to version 25.0.10 or later where the vulnerabilities are fixed.
  • Enforce HTTPS communication to secure data in transit.
  • Configure and enforce CSRF validation to prevent unauthorized commands.
  • Set appropriate session timeout settings to reduce risk of session hijacking.
  • Restrict server access to trusted administrators only.
  • Review and limit administrator user permissions to reduce attack surface.
Compliance Impact

CVE-2026-4794 involves multiple cross-site scripting (XSS) vulnerabilities in PaperCut NG/MF that allow authenticated administrator users to inject arbitrary web scripts or HTML code. This could lead to compromise of administrator sessions or unauthorized actions within the administrative context.

Such vulnerabilities can impact compliance with common standards and regulations like GDPR and HIPAA because they may lead to unauthorized access or manipulation of sensitive data or administrative controls. Ensuring secure administrative access and preventing session compromise are critical for maintaining data confidentiality and integrity required by these regulations.

The security bulletin for PaperCut NG/MF emphasizes security best practices, including enforcing HTTPS, TLS protocols, session timeout settings, and restricting server access, which are important controls to mitigate risks from vulnerabilities like CVE-2026-4794 and support compliance efforts.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-4794. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart