Description
Cross Site Scripting (xss) vulnerability in Timo 2.0.3 via crafted links in the title field.
Published: 2026-03-26
Score: 6.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Cross‑Site Scripting (XSS)
Action: Apply Patch
AI Analysis

Impact

An attacker can inject arbitrary URLs into the title field of Timo 2.0.3, causing the stored value to be rendered with executable JavaScript in a user’s browser. This vulnerable input handling enables cross‑site scripting, which could lead to theft of session tokens, defacement, or the execution of malicious code in the context of a legitimate user’s session.

Affected Systems

The vulnerability affects Timo version 2.0.3 developed by AuntVT. No other vendors or product versions are listed.

Risk and Exploitability

The CVSS score of 6.1 indicates moderate severity, while the EPSS score of less than 1% suggests a low probability of exploitation in the wild. The issue is not listed in CISA’s KEV catalog, and no active public exploits have been reported. The attack vector is inferred to be a local user or an authenticated actor who can create or edit titles, leading to stored XSS in other users’ browsers.

Generated by OpenCVE AI on April 1, 2026 at 05:45 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Check the vendor’s website for an updated release of Timo that addresses the XSS issue; if available, upgrade immediately.
  • If no patch is available, sanitize the title input by escaping or removing URLs before storing or displaying it.
  • Implement a Content Security Policy that restricts the loading of external scripts and resources.
  • Disable or limit the ability for users to include links in the title field through configuration or UI changes.
  • Continuously monitor for new advisories or patches related to this vulnerability and apply them as soon as they become available.

Generated by OpenCVE AI on April 1, 2026 at 05:45 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

References
Link Providers
https://github.com/auntvt/Timo/issues/10 cve-icon cve-icon
History

Thu, 02 Apr 2026 20:30:00 +0000

Type Values Removed Values Added
Title Timo 2.0.3 Cross‑Site Scripting via Title Field Links

Wed, 01 Apr 2026 02:15:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:auntvt:timo:2.0.3:*:*:*:*:*:*:*

Fri, 27 Mar 2026 09:30:00 +0000

Type Values Removed Values Added
Title Timo 2.0.3 Cross‑Site Scripting via Title Field Links

Fri, 27 Mar 2026 08:45:00 +0000

Type Values Removed Values Added
First Time appeared Auntvt
Auntvt timo
Vendors & Products Auntvt
Auntvt timo

Thu, 26 Mar 2026 19:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-79
Metrics cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 26 Mar 2026 14:30:00 +0000

Type Values Removed Values Added
Description Cross Site Scripting (xss) vulnerability in Timo 2.0.3 via crafted links in the title field.
References

Subscriptions

Auntvt Timo
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-03-26T18:11:39.146Z

Reserved: 2026-03-04T00:00:00.000Z

Link: CVE-2026-30162

cve-icon Vulnrichment

Updated: 2026-03-26T18:11:30.787Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-26T15:16:36.600

Modified: 2026-03-31T21:08:50.230

Link: CVE-2026-30162

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-02T07:59:01Z

Weaknesses