Description
Verba is affected by a Stored Cross-Site Scripting (XSS) vulnerability within its login logging mechanism. When an unauthenticated remote attacker attempts to log in using an incorrect username and password combination, the supplied username value is recorded in the application logs. Due to lack of input sanitization, an attacker can inject a malicious XSS payload into the username field.
This payload will be executed in the context of the administrator’s browser when the admin accesses the web application's log viewer.

The vendor was notified early about this vulnerability, but didn't respond to our messages. This issue was fixed in version 10.0.6
Published: 2026-05-14
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Verba’s login logging mechanism stores the user‑supplied username unfiltered when a login attempt fails. An unauthenticated remote attacker can insert a malicious XSS payload into the username field, which is then persisted to the application logs. When an administrator later accesses the log viewer, the injected script executes in the administrator’s browser.

Affected Systems

Verint’s Verba application is affected. All releases prior to version 10.0.6 contain the flaw; the issue was corrected in 10.0.6.

Risk and Exploitability

The CVSS score of 5.3 indicates a moderate risk. The EPSS score is not available, and the vulnerability is not listed in CISA’s KEV catalog. An attacker can exploit the flaw remotely without authentication by submitting a crafted username during a failed login attempt. When admins subsequently visit the log viewer, the payload will execute in their browser.

Generated by OpenCVE AI on May 14, 2026 at 15:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Verba to version 10.0.6 or later.
  • Limit access to the log viewer to authenticated administrators only or disable the log viewer if not needed.
  • If an upgrade is not immediately possible, configure the application to sanitize the username input before logging or escape log output to prevent script execution.

Generated by OpenCVE AI on May 14, 2026 at 15:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 01 Jun 2026 14:00:00 +0000

Type Values Removed Values Added
First Time appeared Verint verba Collaboration Compliance And Quality Management Platform
CPEs cpe:2.3:a:verint:verba_collaboration_compliance_and_quality_management_platform:*:*:*:*:*:*:*:*
Vendors & Products Verint verba Collaboration Compliance And Quality Management Platform
Metrics cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}

Fri, 15 May 2026 11:45:00 +0000

Type Values Removed Values Added
First Time appeared Verint
Verint verba
Vendors & Products Verint
Verint verba

Thu, 14 May 2026 16:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 14 May 2026 14:30:00 +0000

Type Values Removed Values Added
Description Verba is affected by a Stored Cross-Site Scripting (XSS) vulnerability within its login logging mechanism. When an unauthenticated remote attacker attempts to log in using an incorrect username and password combination, the supplied username value is recorded in the application logs. Due to lack of input sanitization, an attacker can inject a malicious XSS payload into the username field. This payload will be executed in the context of the administrator’s browser when the admin accesses the web application's log viewer. The vendor was notified early about this vulnerability, but didn't respond to our messages. This issue was fixed in version 10.0.6
Title Stored XSS in Verba
Weaknesses CWE-79
References
Metrics cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N'}

Subscriptions

Verint Verba Verba Collaboration Compliance And Quality Management Platform
cve-icon MITRE

Status: PUBLISHED

Assigner: CERT-PL

Published:

Updated: 2026-05-14T15:29:06.053Z

Reserved: 2026-01-05T11:45:11.492Z

Link: CVE-2026-21730

cve-icon Vulnrichment

Updated: 2026-05-14T15:29:03.011Z

cve-icon NVD

Status : Analyzed

Published: 2026-05-14T15:16:44.577

Modified: 2026-06-01T13:51:17.240

Link: CVE-2026-21730

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-15T11:21:18Z

Weaknesses