Description
A reflected cross-site scripting (XSS) vulnerability in the AdvancedSearch functionality of Silverpeas Core before version 6.4.6 allows attackers to execute arbitrary JavaScript in the context of a user's browser via crafted input.
Published: 2026-04-22
Score: 6.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Cross‑Site Scripting (arbitrary JavaScript execution in user browsers)
Action: Patch
AI Analysis

Impact

A reflected cross‑site scripting flaw in the AdvancedSearch feature of Silverpeas Core allows an attacker to embed malicious JavaScript into responses that are returned to the user – the code executes in the victim’s browser context. The primary impact is the ability for an attacker to run arbitrary scripts within the context of any user who views the reflected payload.

Affected Systems

Silverpeas Core installations running any version earlier than 6.4.6 are affected. No other vendors or product lines are explicitly listed as impacted.

Risk and Exploitability

The vulnerability is a reflected XSS that requires an attacker to supply crafted input, typically via a link or form, that the application reflects back in the browser. No EPSS score is available, and the issue is not listed in the CISA KEV catalog. The CVSS score of 6.1 indicates a moderate risk level when exploited. The likely attack vector involves a user following a maliciously constructed URL containing the reflected script.

Generated by OpenCVE AI on April 27, 2026 at 19:23 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Silverpeas Core to version 6.4.6 or later, where the XSS flaw has been fixed.
  • Ensure all input to AdvancedSearch is properly sanitized or encoded before being reflected back to the browser to prevent script injection.
  • Implement a Content Security Policy that restricts execution of inline scripts and limits allowed script origins to reduce damage if the vulnerability is exploited.

Generated by OpenCVE AI on April 27, 2026 at 19:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 27 Apr 2026 20:45:00 +0000

Type Values Removed Values Added
First Time appeared Silverpeas
Silverpeas silverpeas
Vendors & Products Silverpeas
Silverpeas silverpeas

Mon, 27 Apr 2026 19:45:00 +0000

Type Values Removed Values Added
Title Reflected XSS in Silverpeas AdvancedSearch That Enables Arbitrary JavaScript Execution

Wed, 22 Apr 2026 16:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-79
Metrics cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 22 Apr 2026 15:30:00 +0000

Type Values Removed Values Added
Description A reflected cross-site scripting (XSS) vulnerability in the AdvancedSearch functionality of Silverpeas Core before version 6.4.6 allows attackers to execute arbitrary JavaScript in the context of a user's browser via crafted input.
References

Subscriptions

Silverpeas Silverpeas
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-04-22T15:42:44.872Z

Reserved: 2026-03-04T00:00:00.000Z

Link: CVE-2026-30139

cve-icon Vulnrichment

Updated: 2026-04-22T15:40:16.407Z

cve-icon NVD

Status : Deferred

Published: 2026-04-22T16:16:53.367

Modified: 2026-04-22T21:18:45.917

Link: CVE-2026-30139

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-27T20:21:11Z

Weaknesses