CVE-2026-42558
Received Received - Intake
Stored XSS and Iframe Sandbox Escape in Xibo CMS

Publication date: 2026-06-10

Last updated on: 2026-06-10

Assigner: GitHub, Inc.

Description
Xibo is an open source digital signage platform with a web content management system and Windows display player software. Prior to 4.4.2, a vulnerability chain consisting of Stored XSS and Iframe Sandbox escape in the Xibo CMS allows users with DataSet permissions to use the Data Connector functionality to craft messages which escape the sandbox and facilitate XSS. Exploitation of the vulnerability is possible on behalf of an authorized user who has both of the following privileges, which are not granted to non-admins as standard: Include "Add DataSet" button to allow for additional DataSets to be created independently to Layouts Users should upgrade to version 4.4.2 which fixes this issue. Upgrading to a fixed version is necessary to remediate. Users unable to upgrade should revoke such privileges from users they do not trust.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-10
Last Modified
2026-06-10
Generated
2026-06-11
AI Q&A
2026-06-11
EPSS Evaluated
N/A
NVD
CVE-2026-42558
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
xibo xibo to 4.4.2 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
CWE-346 The product does not properly verify that the source of data or communication is valid.
CWE-116 The product prepares a structured message for communication with another component, but encoding or escaping of the data is either missing or done incorrectly. As a result, the intended structure of the message is not preserved.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability affects the Xibo digital signage platform prior to version 4.4.2. It is a chain of two issues: Stored Cross-Site Scripting (XSS) and an Iframe Sandbox escape within the Xibo CMS. Users who have DataSet permissions can exploit the Data Connector functionality to craft messages that escape the sandbox restrictions and execute malicious scripts (XSS).

Exploitation requires an authorized user with specific privileges, including the ability to add DataSets independently to Layouts, which are not typically granted to non-admin users by default.

The vulnerability is fixed in version 4.4.2, and users are advised to upgrade or revoke these privileges from untrusted users.

Impact Analysis

This vulnerability can lead to unauthorized execution of malicious scripts within the Xibo CMS environment by users who have certain elevated permissions. This can result in data theft, session hijacking, or other malicious actions performed through the exploited XSS.

Because the vulnerability allows sandbox escape, it increases the risk of broader attacks beyond typical XSS limitations, potentially compromising the integrity and confidentiality of the system.

The CVSS base score of 7.6 indicates a high severity, with network attack vector, low attack complexity, and privileges required but user interaction needed.

Mitigation Strategies

To mitigate this vulnerability, users should upgrade Xibo to version 4.4.2, which contains the fix for this issue.

If upgrading is not possible immediately, revoke the privileges that allow users to add DataSets from any users who are not fully trusted, as exploitation requires specific privileges.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-42558. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart