Description
Vtiger CRM 8.4.0 contains a reflected cross-site scripting (XSS) vulnerability in the MailManager module. Improper handling of user-controlled input in the _folder parameter allows a specially crafted, double URL-encoded payload to be reflected and executed in the context of an authenticated user s session.
Published: 2026-04-13
Score: 5.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Reflected Cross‑Site Scripting
Action: Patch
AI Analysis

Impact

A defect in Vtiger CRM 8.4.0’s MailManager module allows an attacker to supply a double URL‑encoded value for the _folder parameter, which is then reflected back into the page and executed as JavaScript in the browser of an authenticated user. This vulnerability can be exploited to run arbitrary scripts in the context of the authenticated session, potentially enabling theft of session cookies, impersonation, or delivery of malicious content to colleagues. The scope is limited to users who have valid login credentials and access to the MailManager feature.

Affected Systems

The vulnerability affects the Vtiger CRM product, specifically version 8.4.0. No other versions or vendors are currently listed as impacted.

Risk and Exploitability

The CVSS score of 5.4 indicates moderate severity, while an EPSS score of less than 1% suggests low likelihood of exploitation. The issue is not currently listed in the CISA KEV catalog. Exploitation requires an authenticated session and access to the MailManager module; an attacker must either compromise a user account or lure a user to supply the malicious parameter. Given these constraints, the overall risk is moderate but could be significant if attackers gain user credentials.

Generated by OpenCVE AI on April 14, 2026 at 18:00 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Vtiger CRM to a version where the XSS issue is addressed.
  • If an update is not immediately available, restrict or lock down access to the MailManager module to trusted users only.
  • Implement server‑side validation or sanitization of the _folder parameter to eliminate reflected script execution.
  • Apply an appropriate Content Security Policy to restrict script execution on the affected pages.

Generated by OpenCVE AI on April 14, 2026 at 18:00 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 15 Apr 2026 16:00:00 +0000

Type Values Removed Values Added
Title Reflected XSS in Vtiger CRM 8.4.0 MailManager via Double URL‑Encoded Folder Parameter

Tue, 14 Apr 2026 16:45:00 +0000

Type Values Removed Values Added
Title Reflected XSS in Vtiger CRM 8.4.0 MailManager via Double URL‑Encoded Folder Parameter

Tue, 14 Apr 2026 16:30:00 +0000

Type Values Removed Values Added
First Time appeared Vtiger
Vtiger crm
Vendors & Products Vtiger
Vtiger crm

Tue, 14 Apr 2026 16:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-79
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 13 Apr 2026 21:00:00 +0000

Type Values Removed Values Added
Description Vtiger CRM 8.4.0 contains a reflected cross-site scripting (XSS) vulnerability in the MailManager module. Improper handling of user-controlled input in the _folder parameter allows a specially crafted, double URL-encoded payload to be reflected and executed in the context of an authenticated user s session.
References

Subscriptions

Vtiger Crm
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-04-14T15:21:22.985Z

Reserved: 2026-01-09T00:00:00.000Z

Link: CVE-2025-70936

cve-icon Vulnrichment

Updated: 2026-04-14T15:21:10.670Z

cve-icon NVD

Status : Received

Published: 2026-04-13T21:16:23.793

Modified: 2026-04-14T16:16:35.077

Link: CVE-2025-70936

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-15T15:45:07Z

Weaknesses