Description
Serviio PRO 1.8 DLNA Media Streaming Server contains a DOM-based cross-site scripting vulnerability that allows attackers to execute arbitrary HTML and script code by injecting malicious payloads. Attackers can craft URLs with malicious input that is read from document.location and passed to document.write() in the mediabrowser component to execute code in a user's browser context.
Published: 2026-03-15
Score: 5.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Client‑side arbitrary code execution via XSS
Action: Patch
AI Analysis

Impact

Serviio PRO 1.8 contains a DOM‑based cross‑site scripting flaw in its mediabrowser component. Attackers can craft URLs that inject malicious payloads, which are read from document.location and subsequently rendered by document.write, allowing arbitrary HTML and JavaScript to execute in the victim’s browser. This client‑side code execution could be used for malicious browser actions such as defacing a page or hijacking a session, though the description does not detail specific downstream effects.

Affected Systems

The vulnerability affects Serviio PRO 1.8 DLNA Media Streaming Server. Any instance running that exact version is vulnerable.

Risk and Exploitability

The CVSS score of 5.1 places the flaw in the medium severity range, and an EPSS score of less than 1% indicates a low probability of exploitation in the real world. The vulnerability is not listed in the CISA KEV catalog. Attackers must lure a user to a specially crafted URL that the mediabrowser component processes; when the URL is read into document.location and passed to document.write, the injected code executes in the victim’s browser context. This requires user interaction and does not compromise the server, but it grants the attacker full client‑side control.

Generated by OpenCVE AI on March 21, 2026 at 15:35 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Serviio PRO to a version that fixes the DOM‑based XSS flaw.
  • If an upgrade is not immediately feasible, block or sanitize URLs that target the mediabrowser component to prevent injection of malicious input.
  • Restrict access to the media server to trusted networks or authenticated users to limit exposure.
  • Monitor server logs for suspicious URL patterns and investigate anomalous requests.
  • Ensure client browsers are up‑to‑date and have XSS protection enabled.

Generated by OpenCVE AI on March 21, 2026 at 15:35 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 16 Mar 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 16 Mar 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Serviio
Serviio serviio Pro
Vendors & Products Serviio
Serviio serviio Pro

Sun, 15 Mar 2026 19:00:00 +0000

Type Values Removed Values Added
Description Serviio PRO 1.8 DLNA Media Streaming Server contains a DOM-based cross-site scripting vulnerability that allows attackers to execute arbitrary HTML and script code by injecting malicious payloads. Attackers can craft URLs with malicious input that is read from document.location and passed to document.write() in the mediabrowser component to execute code in a user's browser context.
Title Serviio PRO 1.8 DOM-based Cross-Site Scripting via mediabrowser
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}

cvssV4_0

{'score': 5.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N'}

Subscriptions

Serviio Serviio Pro
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-03-16T14:20:17.702Z

Reserved: 2026-03-15T17:44:32.856Z

Link: CVE-2017-20219

cve-icon Vulnrichment

Updated: 2026-03-16T14:17:13.310Z

cve-icon NVD

Status : Deferred

Published: 2026-03-16T14:17:51.527

Modified: 2026-04-15T14:56:45.970

Link: CVE-2017-20219

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-23T14:01:20Z

Weaknesses