Description
CVE-2026-0518 is a cross-site scripting vulnerability in versions of
Secure Access prior to 14.20. An attacker with administrative privileges
can interfere with another administrator’s use of the console.
Published: 2026-01-17
Score: 4.8 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Cross‑Site Scripting accessible only to users with administrative privileges to interfere with other administrators' sessions.
Action: Patch Upgrade
AI Analysis

Impact

The vulnerability is a cross‑site scripting flaw in the Secure Access console that exists in all releases prior to version 14.20. An attacker who has administrative privileges can inject malicious script payloads into the console, potentially causing the console to execute the attacker’s code in the context of another administrator. Because the code runs with the privileges of the victim administrator, the attacker could manipulate the administrator’s session, exfiltrate sensitive information, or redirect the user to a malicious site, thereby compromising the integrity and availability of the console for legitimate administrators.

Affected Systems

Absolute Security’s Secure Access product is affected for all releases earlier than 14.20. No specific patch versions are listed; consequently any installation that runs a version older than 14.20 is vulnerable.

Risk and Exploitability

The CVSS score of 4.8 indicates a moderate impact, and the EPSS probability of less than 1 % signifies that exploitation is unlikely in the wild. The vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog. Exploitation requires administrative credentials to the console, making the threat vector an internal or compromised‑account scenario rather than a remote attacker able to drop arbitrary scripts from an unauthenticated connection.

Generated by OpenCVE AI on April 18, 2026 at 05:35 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Secure Access to version 14.20 or newer.
  • Restrict administrative privileges to a tightly controlled group and enforce strong multi‑factor authentication.
  • Deploy a web application firewall or implement output encoding to prevent script injection for organizations unable to upgrade immediately.

Generated by OpenCVE AI on April 18, 2026 at 05:35 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 02 Feb 2026 16:15:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:absolute:secure_access:*:*:*:*:*:*:*:*
Metrics cvssV3_1

{'score': 4.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N'}

Tue, 20 Jan 2026 19:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-79
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 19 Jan 2026 09:45:00 +0000

Type Values Removed Values Added
First Time appeared Absolute
Absolute secure Access
Vendors & Products Absolute
Absolute secure Access

Sat, 17 Jan 2026 02:00:00 +0000

Type Values Removed Values Added
Description CVE-2026-0518 is a cross-site scripting vulnerability in versions of Secure Access prior to 14.20. An attacker with administrative privileges can interfere with another administrator’s use of the console.
Title XSS in Secure Access Consoles prior to 14.20
References
Metrics cvssV4_0

{'score': 4.8, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N'}

Subscriptions

Absolute Secure Access
cve-icon MITRE

Status: PUBLISHED

Assigner: Absolute

Published:

Updated: 2026-01-20T18:37:15.079Z

Reserved: 2025-12-12T17:25:32.054Z

Link: CVE-2026-0518

cve-icon Vulnrichment

Updated: 2026-01-20T18:37:08.590Z

cve-icon NVD

Status : Analyzed

Published: 2026-01-17T02:15:49.470

Modified: 2026-02-02T16:03:47.780

Link: CVE-2026-0518

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T05:45:38Z

Weaknesses