CVE-2026-42558
Deferred Deferred - Pending Action

Stored XSS and Iframe Sandbox Escape in Xibo CMS

Vulnerability report for CVE-2026-42558, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-06-10

Last updated on: 2026-06-10

Assigner: GitHub, Inc.

Description

Xibo is an open source digital signage platform with a web content management system and Windows display player software. Prior to 4.4.2, a vulnerability chain consisting of Stored XSS and Iframe Sandbox escape in the Xibo CMS allows users with DataSet permissions to use the Data Connector functionality to craft messages which escape the sandbox and facilitate XSS. Exploitation of the vulnerability is possible on behalf of an authorized user who has both of the following privileges, which are not granted to non-admins as standard: Include "Add DataSet" button to allow for additional DataSets to be created independently to Layouts Users should upgrade to version 4.4.2 which fixes this issue. Upgrading to a fixed version is necessary to remediate. Users unable to upgrade should revoke such privileges from users they do not trust.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-10
Last Modified
2026-06-10
Generated
2026-07-01
AI Q&A
2026-06-11
EPSS Evaluated
2026-06-30
NVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
xibo xibo to 4.4.2 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-116 The product prepares a structured message for communication with another component, but encoding or escaping of the data is either missing or done incorrectly. As a result, the intended structure of the message is not preserved.
CWE-346 The product does not properly verify that the source of data or communication is valid.
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability affects the Xibo digital signage platform prior to version 4.4.2. It is a chain of two issues: Stored Cross-Site Scripting (XSS) and an Iframe Sandbox escape within the Xibo CMS. Users who have DataSet permissions can exploit the Data Connector functionality to craft messages that escape the sandbox restrictions and execute malicious scripts (XSS).

Exploitation requires an authorized user with specific privileges, including the ability to add DataSets independently to Layouts, which are not typically granted to non-admin users by default.

The vulnerability is fixed in version 4.4.2, and users are advised to upgrade or revoke these privileges from untrusted users.

Impact Analysis

This vulnerability can lead to unauthorized execution of malicious scripts within the Xibo CMS environment by users who have certain elevated permissions. This can result in data theft, session hijacking, or other malicious actions performed through the exploited XSS.

Because the vulnerability allows sandbox escape, it increases the risk of broader attacks beyond typical XSS limitations, potentially compromising the integrity and confidentiality of the system.

The CVSS base score of 7.6 indicates a high severity, with network attack vector, low attack complexity, and privileges required but user interaction needed.

Mitigation Strategies

To mitigate this vulnerability, users should upgrade Xibo to version 4.4.2, which contains the fix for this issue.

If upgrading is not possible immediately, revoke the privileges that allow users to add DataSets from any users who are not fully trusted, as exploitation requires specific privileges.

Compliance Impact

The vulnerability in Xibo CMS allows for Stored Cross-Site Scripting (XSS) and iframe sandbox escape, which can lead to unauthorized access to sensitive information due to the high confidentiality impact. Such unauthorized data exposure or manipulation could potentially violate data protection regulations like GDPR and HIPAA that require safeguarding personal and sensitive data.

Because the vulnerability enables attackers with certain privileges to execute malicious scripts that bypass security controls, it increases the risk of data breaches and unauthorized data disclosure. This risk can affect compliance with standards that mandate strict access controls, data integrity, and confidentiality.

Mitigating this vulnerability by upgrading to version 4.4.2 or revoking specific privileges from untrusted users is necessary to maintain compliance with these regulations.

Detection Guidance

Detection of this vulnerability involves identifying if your Xibo CMS installation is version 4.4.1 or earlier and if users have DataSet permissions that allow them to add DataSets independently of Layouts.

Since the vulnerability is exploited via the Data Connector functionality to craft malicious messages that escape iframe sandboxing and execute Stored XSS, monitoring for unusual or suspicious Data Connector script activity or unexpected DataSet creations by users with these privileges can help detect exploitation attempts.

There are no specific commands provided in the resources to detect this vulnerability directly. However, general steps include:

  • Check the Xibo CMS version by accessing the CMS interface or querying the application version.
  • Review user permissions to identify users with DataSet privileges that include the ability to add DataSets independently.
  • Audit web server logs for suspicious requests to the Data Connector endpoints that might indicate attempts to inject malicious scripts.
  • Use web application security scanners or manual testing to attempt to inject scripts via the Data Connector functionality if authorized for testing.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-42558. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart