Description
CMDBuild 3.3.2 contains multiple stored cross-site scripting vulnerabilities that allow authenticated attackers to inject arbitrary web script or HTML via crafted input in card creation and file upload endpoints. Attackers can inject XSS payloads through Employee card parameters or SVG file attachments in the classes endpoint, which execute when other users view the affected records or preview attachments.
Published: 2026-05-10
Score: 5.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

CMDBuild 3.3.2 includes multiple stored XSS flaws that let authenticated users inject arbitrary scripts or HTML into the system. By submitting crafted data when creating employee cards or uploading SVG attachments to the classes endpoint, an attacker can store malicious payloads. When other users open those records or preview the attachments, the payload runs in their browser context, potentially stealing session cookies, defacing the UI, or launching further phishing or credential‑stealing attacks. This is a typical CWE‑79 reflection issue that can cause confidentiality or integrity risks to all users who view the affected content.

Affected Systems

The affected product is CMDBuild from the Cmdbuild vendor, specifically version 3.3.2. The vulnerability is triggered by authenticated users interacting with card creation or file upload endpoints. No other versions are known to be affected from the supplied data.

Risk and Exploitability

With a CVSS score of 5.1 the risk is medium. The EPSS score is not available, so no quantified likelihood of exploitation is provided, and the vulnerability is not listed in the CISA KEV catalog. Attackers need valid credentials to create the malicious content, but once stored the XSS executes in the browser of any user who visits the record or opens the attachment, giving the attacker an opportunity to compromise a broader set of users. The absence of a public exploit in the references suggests the attack vector remains theoretical, yet the vulnerability is sufficient to warrant remediation.

Generated by OpenCVE AI on May 10, 2026 at 14:38 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade CMDBuild to the latest released version, which contains the XSS fix.
  • If an upgrade cannot be performed immediately, delete or disable the SVG file upload capability and the classes endpoint that allows file attachments, thereby preventing the storage of malicious payloads.
  • Implement thorough input validation and proper output encoding on the Employee card parameters and any form data processed by the application, using defenses against CWE‑79 such as escaping or a secure templating engine.
  • Apply browser‑side XSS protections such as a strict Content‑Security‑Policy header and enable the X‑XSS‑Protection header to reduce the impact of any remaining script execution.

Generated by OpenCVE AI on May 10, 2026 at 14:38 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 11 May 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Sun, 10 May 2026 21:45:00 +0000

Type Values Removed Values Added
First Time appeared Cmdbuild
Cmdbuild cmdbuild
Vendors & Products Cmdbuild
Cmdbuild cmdbuild

Sun, 10 May 2026 13:00:00 +0000

Type Values Removed Values Added
Description CMDBuild 3.3.2 contains multiple stored cross-site scripting vulnerabilities that allow authenticated attackers to inject arbitrary web script or HTML via crafted input in card creation and file upload endpoints. Attackers can inject XSS payloads through Employee card parameters or SVG file attachments in the classes endpoint, which execute when other users view the affected records or preview attachments.
Title CMDBuild 3.3.2 Multiple Stored Cross-Site Scripting
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N'}

cvssV4_0

{'score': 5.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N'}

Subscriptions

Cmdbuild Cmdbuild
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-05-11T11:55:37.822Z

Reserved: 2026-02-01T11:24:18.716Z

Link: CVE-2021-47925

cve-icon Vulnrichment

Updated: 2026-05-11T11:55:34.443Z

cve-icon NVD

Status : Received

Published: 2026-05-10T13:16:28.437

Modified: 2026-05-10T13:16:28.437

Link: CVE-2021-47925

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-10T21:23:37Z

Weaknesses