Description
A vulnerability in Plunet Plunet BusinessManager allows unauthorized actions being performed on behalf of privileged users.This issue affects Plunet BusinessManager: 10.15.1
Published: 2026-02-11
Score: 8.6 High
EPSS: < 1% Very Low
KEV: No
Impact: Stored cross‑site scripting enabling unauthorized actions on behalf of privileged users
Action: Immediate Patch
AI Analysis

Impact

A stored cross‑site scripting flaw has been identified in Plunet BusinessManager. Malicious JavaScript can be entered by an attacker, stored in the system, and later displayed in browsers of other users. The description states that this flaw allows attackers to perform unauthorized actions on behalf of privileged users, implying that the injected code can execute with the victim’s session privileges. The root cause is not explicitly provided, but the nature of the defect suggests that input is not properly sanitized or encoded before being rendered, an inference drawn from the wording of the description.

Affected Systems

Affected product: Plunet BusinessManager, version 10.15.1. The vendor published a fix in version 10.20 and later; earlier releases are not listed as vulnerable.

Risk and Exploitability

The CVSS score of 8.6 classifies the vulnerability as high severity. The EPSS score is below 1%, indicating that current exploitation is unlikely, yet the flaw remains dangerous if an attacker can inject payloads. The vulnerability is not listed in the CISA KEV catalog. Attackers would need to reach an input interface that accepts data—potentially an authenticated user or any entity able to submit information—to embed malicious scripts that will execute in other users’ browsers.

Generated by OpenCVE AI on April 18, 2026 at 19:42 UTC.

Remediation

Vendor Solution

Upgrade Plunet BusinessManager to version 10.20 or later, which includes a fix for the identified cross-site scripting vulnerabilities.

OpenCVE Recommended Actions

  • Upgrade Plunet BusinessManager to version 10.20 or later, which includes the vendor’s fix.
  • Sanitize all user‑supplied data using a whitelist approach and enforce proper output encoding before rendering that data in browsers.
  • Deploy a Content Security Policy that restricts script execution and consider a web application firewall to block malicious payloads.
  • Limit or monitor the privileges of users who can submit data until the patch is applied.

Generated by OpenCVE AI on April 18, 2026 at 19:42 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 11 Feb 2026 22:15:00 +0000

Type Values Removed Values Added
First Time appeared Plunet
Plunet business Manager
Vendors & Products Plunet
Plunet business Manager
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 11 Feb 2026 15:15:00 +0000

Type Values Removed Values Added
Description A vulnerability in Plunet Plunet BusinessManager allows unauthorized actions being performed on behalf of privileged users.This issue affects Plunet BusinessManager: 10.15.1
Title Stored XSS on Plunet BusinessManager
Weaknesses CWE-79
References
Metrics cvssV4_0

{'score': 8.6, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:L/SC:L/SI:L/SA:N'}

Subscriptions

Plunet Business Manager
cve-icon MITRE

Status: PUBLISHED

Assigner: TCS-CERT

Published:

Updated: 2026-02-11T21:19:41.145Z

Reserved: 2026-02-11T14:36:10.726Z

Link: CVE-2026-2344

cve-icon Vulnrichment

Updated: 2026-02-11T21:19:38.684Z

cve-icon NVD

Status : Deferred

Published: 2026-02-11T15:16:17.993

Modified: 2026-04-15T00:35:42.020

Link: CVE-2026-2344

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T19:45:08Z

Weaknesses