Description
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Xerox CentreWare on Windows allows Stored XSS.This issue affects CentreWare: through 7.0.6. 

Consider
upgrading Xerox® CentreWare Web® to v7.2.2.25 via the software available on Xerox.com
Published: 2026-02-06
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Stored Cross‑Site Scripting
Action: Upgrade
AI Analysis

Impact

The vulnerability is an Improper Neutralization of Input During Web Page Generation flaw that permits stored cross‑site scripting (XSS). Attackers can insert malicious code into user‑controlled fields; the code is subsequently saved and rendered within the web application when other users view the affected content, causing arbitrary JavaScript to execute in those users’ browsers.

Affected Systems

Xerox CentreWare Web on Microsoft Windows operating systems is affected in all releases up to and including version 7.0.6. Any deployment of these versions that exposes the vulnerable web pages is susceptible.

Risk and Exploitability

The CVSS score of 5.3 indicates a moderate impact, while the EPSS of less than 1 % points to a low likelihood of exploitation. The vulnerability is not listed in the CISA KEV catalog. Based on the description, the attack vector is likely via the web interface where user input is stored; no explicit authentication or privilege prerequisites are stated, so exploitation could be possible from any user who can submit data to the vulnerable page.

Generated by OpenCVE AI on April 18, 2026 at 13:33 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Xerox CentreWare Web to at least version 7.2.2.25 using the official update bundles available on Xerox.com.
  • Apply input sanitization that escapes or removes script tags and other executable content from user‑supplied data, following standard practices for mitigating CWE‑79.
  • Restrict access to the vulnerable interfaces and monitor web traffic for anomalous activity using a web application firewall or security logging tools.

Generated by OpenCVE AI on April 18, 2026 at 13:33 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 24 Feb 2026 21:00:00 +0000

Type Values Removed Values Added
First Time appeared Microsoft
Microsoft windows
CPEs cpe:2.3:a:xerox:centreware_web:*:*:*:*:*:*:*:*
cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*
Vendors & Products Microsoft
Microsoft windows

Mon, 09 Feb 2026 11:00:00 +0000

Type Values Removed Values Added
First Time appeared Xerox
Xerox centreware Web
Vendors & Products Xerox
Xerox centreware Web

Fri, 06 Feb 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 06 Feb 2026 17:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Xerox CentreWare on Windows allows Stored XSS.This issue affects CentreWare: through 7.0.6.  Consider upgrading Xerox® CentreWare Web® to v7.2.2.25 via the software available on Xerox.com
Title Stored XSS on Xerox CentreWare Web 7.0.6
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:L/A:N'}

Subscriptions

Microsoft Windows
Xerox Centreware Web
cve-icon MITRE

Status: PUBLISHED

Assigner: Xerox

Published:

Updated: 2026-02-06T18:42:12.895Z

Reserved: 2026-02-02T15:52:12.797Z

Link: CVE-2026-1769

cve-icon Vulnrichment

Updated: 2026-02-06T18:42:06.665Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-06T18:15:56.193

Modified: 2026-02-24T20:58:11.823

Link: CVE-2026-1769

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T13:45:45Z

Weaknesses