Primary

Context

Xibo CMS Stored Cross-Site Scripting Vulnerability with Zero-Click Execution on Login

Vulnerability

Patched

A stored Cross-Site Scripting vulnerability has been identified in Xibo CMS versions prior to 4.4.1. This vulnerability allows authenticated users with notification creation permissions to inject arbitrary JavaScript into the notification body. When the notification is marked as an 'interrupt,' the injected script executes automatically in the browser of any targeted user upon login, without requiring any user interaction. Exploitation can occur if the user has access to the Notification Centre and the ability to create new notifications.

Impact

Exploitation of this vulnerability allows for stored Cross-Site Scripting, where injected scripts are executed in the context of the user receiving the notification.

Remediation

Users should upgrade to Xibo CMS version 4.4.1, which addresses this vulnerability. For those unable to upgrade, it is recommended to revoke notification creation privileges from untrusted users.

Added: Apr 24, 2026, 1:24 AM

Updated: Apr 24, 2026, 1:24 AM

Vulnerability Rating

Custom Algorithm

spread

1.4

impact

1.7

exploitability

4.6

remediation

8.3

relevance

6.5

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

1.4

impact

1.7

exploitability

4.6

remediation

8.3

relevance

6.5

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Xibo CMS Stored Cross-Site Scripting Vulnerability with Zero-Click Execution on Login

Vulnerability

Impact

Remediation

Affected Products

Xibo CMS

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating