CVE-2026-14704
Received Received - Intake

Cross-Site Scripting in Bluebox up to 4.5.12

Vulnerability report for CVE-2026-14704, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-05

Last updated on: 2026-07-05

Assigner: VulDB

Description

A vulnerability was found in stephen-kruger bluebox up to 4.5.12. Affected by this vulnerability is an unknown functionality. Performing a manipulation of the argument code results in cross site scripting. It is possible to initiate the attack remotely. The exploit has been made public and could be used. The project was informed of the problem early through an issue report.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-05
Last Modified
2026-07-05
Generated
2026-07-05
AI Q&A
2026-07-05
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
stephen_kruger bluebox to 4.5.12 (inc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-94 The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability is a Cross-Site Scripting (XSS) issue found in the stephen-kruger bluebox application up to version 4.5.12. It occurs due to manipulation of an argument called 'code', which allows an attacker to inject malicious scripts. The attack can be initiated remotely, meaning an attacker does not need local access to exploit it. The vulnerability has been publicly disclosed and could be exploited by attackers.

Impact Analysis

The impact of this vulnerability is that an attacker could execute malicious scripts in the context of the bluebox webmail interface or related components. This could lead to unauthorized actions performed on behalf of a user, theft of session information, or other malicious activities that exploit the trust of the user in the application. Since the attack can be performed remotely, it increases the risk of exploitation without requiring physical or internal network access.

Detection Guidance

The vulnerability is a cross-site scripting (XSS) issue in the stephen-kruger bluebox application up to version 4.5.12. Detection would typically involve testing the webmail interface or any web components of bluebox for XSS by injecting malicious scripts into input fields or parameters.

Since bluebox is a Java-based tool with a webmail interface, you can attempt to detect the vulnerability by sending crafted HTTP requests containing script payloads to the webmail interface or any URL parameters that accept user input.

No specific detection commands or tools are provided in the available resources. However, common approaches include using web vulnerability scanners like OWASP ZAP or Burp Suite to scan the bluebox web interface for XSS vulnerabilities.

Manual testing commands might include using curl or wget to send HTTP requests with typical XSS payloads, for example:

  • curl -X GET "http://<bluebox-host>:<port>/path?param=<script>alert(1)</script>"
  • Observe the response to see if the script is reflected unescaped, indicating vulnerability.
Mitigation Strategies

Immediate mitigation steps for this cross-site scripting vulnerability in bluebox include:

  • Avoid exposing the bluebox webmail interface to untrusted networks or users.
  • Apply input validation and output encoding on all user-supplied inputs in the bluebox application to prevent script injection.
  • If possible, update bluebox to a version where this vulnerability is fixed. However, no fixed version is mentioned in the provided data.
  • Monitor the bluebox GitHub repository or issue tracker for patches or official fixes.
  • Restrict access to the bluebox service using network controls such as firewalls or VPNs.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-14704. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart