Description
A HTML Injection vulnerability exists in the Dashboard module of Vtiger CRM 8.4.0. The application fails to properly neutralize user-supplied input in the tabid parameter of the DashBoardTab view (getTabContents action), allowing an attacker to inject arbitrary HTML content into the dashboard interface. The injected content is rendered in the victim's browser
Published: 2026-04-13
Score: 6.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Cross‑Site Scripting
Action: Immediate Patch
AI Analysis

Impact

A failure to neutralize user‑supplied input in the tabid parameter of Vtiger CRM’s Dashboard module allows an attacker to inject arbitrary HTML content that is rendered directly in the victim’s browser. The injected code runs with the privileges of the user viewing the dashboard, enabling actions such as cookie theft, session hijacking, phishing, or defacement. The flaw is a classic cross‑site scripting vulnerability arising from improper output encoding.

Affected Systems

Vtiger CRM (open‑source edition) version 8.4.0. The vulnerability is located in the DashBoardTab view during the getTabContents action and only this version is confirmed to be affected. No other versions are listed in the available data.

Risk and Exploitability

The CVSS score is 6.1, EPSS score is <1%, and the vulnerability is not listed in CISA’s KEV catalog. The low EPSS score suggests that exploitation is unlikely in the near term, although the flaw remains a medium‑severity XSS risk if an attacker manages to supply a malicious tabid parameter. The impact on confidentiality, integrity, and availability remains significant for authenticated users who can view the dashboard.

Generated by OpenCVE AI on April 16, 2026 at 02:35 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the vendor’s latest patch to Vtiger CRM or upgrade to a version that addresses the Dashboard module issue.
  • If a patch is unavailable, limit access to the Dashboard module or the tabid parameter to users with strictly necessary privileges.
  • Implement server‑side sanitization of the tabid parameter and ensure all output is properly escaped before rendering.
  • Deploy a strict Content Security Policy to block execution of inline or unknown scripts.
  • Monitor dashboard pages for unexpected HTML content and review logs for suspicious activity.

Generated by OpenCVE AI on April 16, 2026 at 02:35 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 16 Apr 2026 03:00:00 +0000

Type Values Removed Values Added
Title HTML Injection in Vtiger CRM Dashboard Module
Weaknesses CWE-79

Wed, 15 Apr 2026 16:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-80
Metrics cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 14 Apr 2026 16:45:00 +0000

Type Values Removed Values Added
Title HTML Injection in Vtiger CRM Dashboard Module
Weaknesses CWE-79

Tue, 14 Apr 2026 16:30:00 +0000

Type Values Removed Values Added
First Time appeared Vtiger
Vtiger crm
Vendors & Products Vtiger
Vtiger crm

Mon, 13 Apr 2026 21:00:00 +0000

Type Values Removed Values Added
Description A HTML Injection vulnerability exists in the Dashboard module of Vtiger CRM 8.4.0. The application fails to properly neutralize user-supplied input in the tabid parameter of the DashBoardTab view (getTabContents action), allowing an attacker to inject arbitrary HTML content into the dashboard interface. The injected content is rendered in the victim's browser
References

Subscriptions

Vtiger Crm
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-04-15T15:36:23.365Z

Reserved: 2026-02-16T00:00:00.000Z

Link: CVE-2026-26460

cve-icon Vulnrichment

Updated: 2026-04-15T15:36:17.688Z

cve-icon NVD

Status : Received

Published: 2026-04-13T21:16:24.020

Modified: 2026-04-15T16:16:34.810

Link: CVE-2026-26460

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T02:45:06Z

Weaknesses