Description
A stored cross-site scripting (XSS) vulnerability exists in Kiamo before 8.4 due to improper output encoding of user-supplied input in administrative interfaces. An authenticated administrative user can inject arbitrary JavaScript code that is executed in the browser of users viewing the affected pages. NOTE: the Supplier's position is that a fix for this had already been released for the 8.3.1 branch before the CVE Record was published.
Published: 2026-04-09
Score: 5.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Stored Cross‑Site Scripting
Action: Patch Immediately
AI Analysis

Impact

A stored cross‑site scripting vulnerability exists in Kiamo before version 8.4, caused by improper output encoding of user‑supplied input in administrative interfaces. An authenticated administrator can inject arbitrary JavaScript code that is executed in the browsers of users who view the affected pages. The vendor has released a fix for the 8.3.1 branch prior to the CVE record, indicating that updates before 8.4 are available.

Affected Systems

All installations of Kiamo with a version older than 8.4 are impacted. The flaw resides in the administrative interfaces and requires administrator‑level authentication to inject the malicious script.

Risk and Exploitability

The CVSS score is 5.4, indicating a medium severity. EPSS shows an exploitation probability of less than 1 %, and the vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog. Exploitation requires a user with administrative privileges to inject the payload; once injected, any user who accesses the affected interface will run the JavaScript in their browser.

Generated by OpenCVE AI on April 27, 2026 at 19:57 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest Kiamo release (v8.4 or newer) to fix the vulnerability.
  • If an immediate update cannot be applied, limit or disable access to the affected administrative interfaces until a patch is available.
  • Configure a Content Security Policy to block inline JavaScript on administrative pages as a temporary protection.

Generated by OpenCVE AI on April 27, 2026 at 19:57 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 27 Apr 2026 20:15:00 +0000

Type Values Removed Values Added
Title Stored XSS in Kiamo Admin Interfaces

Wed, 22 Apr 2026 15:30:00 +0000

Type Values Removed Values Added
Description A stored cross-site scripting (XSS) vulnerability exists in Kiamo before 8.4 due to improper output encoding of user-supplied input in administrative interfaces. An authenticated administrative user can inject arbitrary JavaScript code that is executed in the browser of users viewing the affected pages. A stored cross-site scripting (XSS) vulnerability exists in Kiamo before 8.4 due to improper output encoding of user-supplied input in administrative interfaces. An authenticated administrative user can inject arbitrary JavaScript code that is executed in the browser of users viewing the affected pages. NOTE: the Supplier's position is that a fix for this had already been released for the 8.3.1 branch before the CVE Record was published.

Mon, 13 Apr 2026 14:30:00 +0000

Type Values Removed Values Added
Title Stored XSS in Kiamo Admin Interfaces

Fri, 10 Apr 2026 18:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 10 Apr 2026 10:00:00 +0000

Type Values Removed Values Added
Title Stored XSS in Kiamo Admin Interfaces
Weaknesses CWE-79

Fri, 10 Apr 2026 09:00:00 +0000

Type Values Removed Values Added
First Time appeared Kiamo
Kiamo kiamo
Vendors & Products Kiamo
Kiamo kiamo

Thu, 09 Apr 2026 16:00:00 +0000

Type Values Removed Values Added
Description A stored cross-site scripting (XSS) vulnerability exists in Kiamo before 8.4 due to improper output encoding of user-supplied input in administrative interfaces. An authenticated administrative user can inject arbitrary JavaScript code that is executed in the browser of users viewing the affected pages.
References

Subscriptions

Kiamo Kiamo
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-04-22T14:52:45.442Z

Reserved: 2026-01-09T00:00:00.000Z

Link: CVE-2025-70365

cve-icon Vulnrichment

Updated: 2026-04-10T17:59:41.414Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-04-09T16:16:25.707

Modified: 2026-04-22T16:16:52.120

Link: CVE-2025-70365

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-27T20:00:05Z

Weaknesses