Description
A vulnerability in the web-based management interface of Access Points running AOS-10 and AOS-8 Instant could allow an unauthenticated remote attacker to execute arbitrary JavaScript code in a victim's browser within the same local network. Successful exploitation could allow an attacker to compromise user data and potentially manipulate device configuration settings.
Published: 2026-05-12
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A stored cross‑site scripting flaw (CWE‑79) exists in the SSID processing logic of ArubaOS 10 and 8 Instant web management interfaces. An unauthenticated attacker can inject malicious JavaScript that will execute when any user views the page, enabling data theft or manipulation of configuration settings in the victim’s browser.

Affected Systems

Hewlett Packard Enterprise ArubaOS (AOS) Access Points running versions 10 and 8 Instant are affected.

Risk and Exploitability

The CVSS score of 8.8 indicates high severity, while the EPSS score is currently unavailable. The issue is not listed in CISA’s KEV catalog. The vulnerability can be exploited from any host on the same local network that can reach the AP’s web interface; no authentication is required. An attacker achieving the exploit would gain client‑side code execution, potentially compromising data confidentiality and device configuration. Due to its high score and local‑network attack vector, it poses a significant risk in environments where AP management interfaces are accessible within the LAN.

Generated by OpenCVE AI on May 12, 2026 at 22:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest ArubaOS firmware update that fixes the stored XSS flaw
  • Disable or restrict remote access to the AP web management interface so only trusted hosts can reach it
  • Implement network segmentation or firewall rules to limit local‑network exposure of the access points

Generated by OpenCVE AI on May 12, 2026 at 22:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 13 May 2026 11:00:00 +0000

Type Values Removed Values Added
First Time appeared Hpe
Hpe arubaos
Vendors & Products Hpe
Hpe arubaos

Tue, 12 May 2026 20:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-79
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 12 May 2026 19:00:00 +0000

Type Values Removed Values Added
Description A vulnerability in the web-based management interface of Access Points running AOS-10 and AOS-8 Instant could allow an unauthenticated remote attacker to execute arbitrary JavaScript code in a victim's browser within the same local network. Successful exploitation could allow an attacker to compromise user data and potentially manipulate device configuration settings.
Title Error in SSID Processing allows Stored XSS in Web Management Interface
References
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H'}

Subscriptions

Hpe Arubaos
cve-icon MITRE

Status: PUBLISHED

Assigner: hpe

Published:

Updated: 2026-05-12T19:31:00.149Z

Reserved: 2026-01-16T15:22:49.224Z

Link: CVE-2026-23819

cve-icon Vulnrichment

Updated: 2026-05-12T19:30:55.704Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-05-12T19:16:28.603

Modified: 2026-05-13T15:35:17.550

Link: CVE-2026-23819

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-13T10:37:48Z

Weaknesses