Description
A vulnerability in MagicInfo9 Server allows authorized users to upload HTML files without authentication, leading to Stored XSS, which can result in account takeover


This issue affects MagicINFO 9 Server: less than 21.1090.1.
Published: 2026-02-02
Score: 9.8 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Stored XSS leading to account takeover
Action: Immediate Patch
AI Analysis

Impact

The vulnerability allows attackers to upload arbitrary HTML files to MagicINFO 9 Server. Because the server fails to validate the file type, the uploaded content is stored and later rendered in the web interface, enabling stored cross‑site scripting under CWE‑434. A malicious script can then be executed in the browser context of any authenticated user, providing a path to hijack accounts and compromise data integrity.

Affected Systems

Affected systems are Samsung Electronics MagicINFO 9 Server versions prior to 21.1090.1. The issue is specific to the file‑upload component of the server software.

Risk and Exploitability

The CVSS score of 9.8 indicates critical severity, and while the EPSS score is below 1 %, the exploit potential remains significant in targeted environments where the application is publicly exposed. The attack requires a valid user session to upload files, but no additional authentication or privileges are enforced, making it feasible for authenticated or compromised accounts to execute malicious scripts.

Generated by OpenCVE AI on April 18, 2026 at 00:46 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Deploy the latest version of Samsung MagicINFO 9 Server (21.1090.1 or later) that includes the file‑type validation fix.
  • If an upgrade cannot be performed immediately, disable or remove the web upload feature and enforce manual page creation.
  • Implement server‑side content‑type validation to reject non‑HTML files and sanitize any stored HTML to remove executable scripts.
  • Enforce the principle of least privilege on user accounts that can access the upload functionality, limiting them to roles that do not require editing of public pages.
  • Monitor web logs for abnormal file‑upload activity and block suspicious IP addresses.

Generated by OpenCVE AI on April 18, 2026 at 00:46 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 18 Apr 2026 01:15:00 +0000

Type Values Removed Values Added
Title Stored XSS via Unrestricted HTML Upload in Samsung MagicINFO 9 Server

Tue, 10 Mar 2026 18:45:00 +0000

Type Values Removed Values Added
First Time appeared Samsung
Samsung magicinfo 9 Server
CPEs cpe:2.3:a:samsung:magicinfo_9_server:*:*:*:*:*:*:*:*
Vendors & Products Samsung
Samsung magicinfo 9 Server

Tue, 03 Feb 2026 15:00:00 +0000

Type Values Removed Values Added
First Time appeared Samsung Electronics
Samsung Electronics magicinfo 9 Server
Vendors & Products Samsung Electronics
Samsung Electronics magicinfo 9 Server

Mon, 02 Feb 2026 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 02 Feb 2026 05:00:00 +0000

Type Values Removed Values Added
Description A vulnerability in MagicInfo9 Server allows authorized users to upload HTML files without authentication, leading to Stored XSS, which can result in account takeover This issue affects MagicINFO 9 Server: less than 21.1090.1.
Weaknesses CWE-434
References
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Samsung Magicinfo 9 Server
Samsung Electronics Magicinfo 9 Server
cve-icon MITRE

Status: PUBLISHED

Assigner: samsung.tv_appliance

Published:

Updated: 2026-02-26T15:04:40.615Z

Reserved: 2026-01-30T06:07:11.090Z

Link: CVE-2026-25200

cve-icon Vulnrichment

Updated: 2026-02-02T17:54:35.496Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-02T05:16:05.770

Modified: 2026-03-10T18:43:02.570

Link: CVE-2026-25200

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T01:00:11Z

Weaknesses