Description
ISPConfig 3.3.0 is vulnerable to Cross Site Scripting (XSS) via the system status webpage.
Published: 2026-05-05
Score: 4.7 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability permits the injection of arbitrary client‑side script into the system status page of ISPConfig 3.3.0. An attacker with the ability to trigger the vulnerable page can run scripts in the context of any user who visits that page, potentially exfiltrating session data, modifying displayed information, or executing additional malicious actions that depend on the target's privileges. The flaw is a classic reflected XSS weakness.

Affected Systems

The web‑based hosting control panel ISPConfig, version 3.3.0, is affected. No other versions or vendor variations are listed in the available data.

Risk and Exploitability

The CVSS base score is 4.7, indicating a medium severity. No EPSS score is currently available, but the vulnerability is not listed in CISA’s KEV catalog, suggesting that publicly available exploits are not yet widespread. The likely attack vector is remote via the web interface; exploitation requires a user to view the system status page, which may be protected by authentication. Because the exposed page may be accessed by administrators, the potential impact of a successful attack is significant if the page is not properly restricted.

Generated by OpenCVE AI on May 5, 2026 at 20:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Install ISPConfig 3.3.0p2 or later to apply the vendor‑issued fix.
  • Limit access to the system status page to privileged administrators only, reducing the number of users exposed to the flaw.
  • Ensure that any dynamic content rendered on the status page is properly escaped or sanitized before display to prevent script injection.

Generated by OpenCVE AI on May 5, 2026 at 20:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 05 May 2026 21:15:00 +0000

Type Values Removed Values Added
Title Cross‑Site Scripting via ISPConfig 3.3.0 System Status Page

Tue, 05 May 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 4.7, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:N/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 05 May 2026 18:15:00 +0000

Type Values Removed Values Added
Title Cross‑Site Scripting via ISPConfig 3.3.0 System Status Page
First Time appeared Ispconfig
Ispconfig ispconfig
Weaknesses CWE-79
Vendors & Products Ispconfig
Ispconfig ispconfig

Tue, 05 May 2026 16:15:00 +0000

Type Values Removed Values Added
Description ISPConfig 3.3.0 is vulnerable to Cross Site Scripting (XSS) via the system status webpage.
References

Subscriptions

Ispconfig Ispconfig
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-05-05T18:58:11.246Z

Reserved: 2025-06-16T00:00:00.000Z

Link: CVE-2025-52206

cve-icon Vulnrichment

Updated: 2026-05-05T18:57:25.366Z

cve-icon NVD

Status : Received

Published: 2026-05-05T16:16:09.633

Modified: 2026-05-05T20:16:35.083

Link: CVE-2025-52206

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-05T21:00:10Z

Weaknesses