CVE-2026-63081
Received Received - Intake

Stored XSS in Perfect Support Ticketing & Document Management System

Vulnerability report for CVE-2026-63081, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-16

Last updated on: 2026-07-16

Assigner: VulnCheck

Description

Perfect Support Ticketing & Document Management System through 1.7 contains a stored cross-site scripting vulnerability that allows authenticated attackers with Agent-level privileges to inject malicious payloads into the Notes field of assigned support tickets. Attackers can store malicious scripts that execute in the browser context of any user who views the affected ticket notes, including Superadmin users, enabling session hijacking or unauthorized actions on behalf of the victim.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-16
Last Modified
2026-07-16
Generated
2026-07-16
AI Q&A
2026-07-16
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
perfect_support ticketing_and_document_management_system 1.7

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-63081 is a stored cross-site scripting (XSS) vulnerability in Perfect Support Ticketing & Document Management System version 1.7. Authenticated attackers with Agent-level privileges can inject malicious scripts into the Notes field of assigned support tickets. These scripts execute when other users view the ticket notes, including Superadmin users.

Detection Guidance

To detect this stored XSS vulnerability, monitor network traffic for suspicious input in the Notes field of support tickets. Check for payloads like <a href="javascript:alert(document.domain)">clickme</a> in ticket data. Review browser console logs for unexpected script executions when viewing ticket notes.

Impact Analysis

This vulnerability allows attackers to execute arbitrary JavaScript in the browser of affected users. This could lead to session hijacking, unauthorized actions on behalf of victims, or privilege escalation if targeted against other Agent or Superadmin users.

Compliance Impact

This stored XSS vulnerability could potentially violate compliance requirements under GDPR and HIPAA by enabling unauthorized access to sensitive data. Attackers could exploit it to hijack sessions of Superadmin users or other privileged accounts, potentially exposing personal data or protected health information. The ability to execute arbitrary scripts in the context of other users may lead to unauthorized data access, modification, or disclosure, which directly conflicts with GDPR's data protection principles and HIPAA's security requirements for safeguarding protected health information.

Mitigation Strategies

Immediately update Perfect Support Ticketing System to the latest patched version. Implement input validation to sanitize all user inputs in the Notes field, blocking JavaScript and HTML tags. Restrict Agent-level privileges to trusted users only and monitor ticket notes for malicious payloads.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-63081. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart