Description
Census CSWeb 8.0.1 allows stored cross-site scripting in user supplied fields. A remote, authenticated attacker could store malicious javascript that executes in a victim's browser. Fixed in 8.1.0 alpha.
Published: 2026-03-23
Score: 5.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Cross‑Site Scripting
Action: Patch
AI Analysis

Impact

Census CSWeb 8.0.1 stores unsanitized user input, allowing a remote authenticated attacker to embed malicious JavaScript. When another user views the stored data, the script runs in that user's browser, enabling session hijacking, cookie theft, or data exfiltration. The weakness is a classic stored XSS flaw (CWE‑79).

Affected Systems

Vendor Census CSWeb version 8.0.1 is affected. No other versions or products are listed in the CNA data.

Risk and Exploitability

The CVSS score of 5.1 indicates moderate risk; the EPSS score is below 1% and it is not listed in the CISA KEV catalog, suggesting low current exploitation likelihood. Exploitation requires the attacker to be authenticated to the application, after which malicious input can be stored and later presented to other users. The attack vector is through the web interface, with no requirement for network‑level access beyond valid credentials.

Generated by OpenCVE AI on March 25, 2026 at 22:53 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade CSWeb to version 8.1.0 or later, which removes the vulnerability
  • If an upgrade is not immediately possible, sanitize or escape all user‑supplied input before rendering to prevent script execution
  • Apply principle of least privilege to user accounts to limit the impact of an authenticated attacker
  • Monitor logs for anomalous input attempts and review authentication patterns

Generated by OpenCVE AI on March 25, 2026 at 22:53 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 25 Mar 2026 21:15:00 +0000

Type Values Removed Values Added
First Time appeared Csprousers
Csprousers csweb
CPEs cpe:2.3:a:csprousers:csweb:8.0.1:*:*:*:*:*:*:*
Vendors & Products Csprousers
Csprousers csweb

Wed, 25 Mar 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 24 Mar 2026 10:45:00 +0000

Type Values Removed Values Added
First Time appeared Census
Census csweb
Vendors & Products Census
Census csweb

Tue, 24 Mar 2026 02:30:00 +0000

Type Values Removed Values Added
Description Census CSWeb 8.0.1 allows stored cross-site scripting in user supplied fields. A remote, authenticated attacker could store malicious javascript that executes in a victim's browser. Fixed in 8.1.0 alpha.
Title Census CSWeb stored XSS
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 4.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N'}

cvssV4_0

{'score': 5.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Census Csweb
Csprousers Csweb
cve-icon MITRE

Status: PUBLISHED

Assigner: cisa-cg

Published:

Updated: 2026-03-25T14:47:20.070Z

Reserved: 2025-09-26T05:34:11.056Z

Link: CVE-2025-60948

cve-icon Vulnrichment

Updated: 2026-03-25T14:47:14.190Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-23T22:16:22.960

Modified: 2026-03-25T21:07:16.313

Link: CVE-2025-60948

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-26T12:20:32Z

Weaknesses