Description
Stored Cross-Site Scripting (XSS) in Teampass versions prior to 3.1.5.16, affecting the password manager's password import functionality at the endpoint 'redacted/index.php?page=items'. The application fails to properly sanitize and encode user-input data during the import process, allowing malicious JavaScript payloads to be persistently stored in the database. When other users view the imported passwords, the payload is automatically executed in their browsers, resulting in a stored XSS condition at the endpoint 'redacted/index.php?page=items'. Exploiting this vulnerability allows an attacker to execute arbitrary JavaScript code in the context of multiple users and the administrator, which can lead to session hijacking, credential theft, privilege abuse, and compromise of application integrity.
Published: 2026-03-31
Score: 9.3 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Stored Cross‑Site Scripting allowing arbitrary JavaScript execution
Action: Immediate Patch
AI Analysis

Impact

Teampass password manager versions before 3.1.5.16 are vulnerable to a stored cross‑site scripting flaw that occurs during the password import process. Unsanitized user data is inserted into the database and later rendered without proper encoding, enabling attackers to embed malicious scripts that run in the browsers of any user who views the imported passwords. This stored XSS can be leveraged for session hijacking, credential theft, privilege escalation, and overall compromise of application integrity.

Affected Systems

The vulnerability affects the Teampass password manager by the vendor Teampass, specifically all releases earlier than 3.1.5.16. The issue is mitigated in the official patch 3.1.5.24.

Risk and Exploitability

The CVSS score of 9.3 signals a critical risk level. Although an EPSS score is not available and the vulnerability is not listed in the CISA KEV catalog, the high severity indicates that an exploit would be valuable. The attack likely requires a user account with permission to import passwords; once a malicious import is performed, any user who accesses the affected page will trigger the payload, making the vulnerability widely exploitable across the user base.

Generated by OpenCVE AI on March 31, 2026 at 10:21 UTC.

Remediation

Vendor Solution

The issue has been fixed in version 3.1.5.24.

OpenCVE Recommended Actions

  • Upgrade Teampass to version 3.1.5.24 or later, which includes the patch for the stored XSS flaw.

Generated by OpenCVE AI on March 31, 2026 at 10:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 07 Apr 2026 18:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N'}

Tue, 31 Mar 2026 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 31 Mar 2026 09:15:00 +0000

Type Values Removed Values Added
Description Stored Cross-Site Scripting (XSS) in Teampass versions prior to 3.1.5.16, affecting the password manager's password import functionality at the endpoint 'redacted/index.php?page=items'. The application fails to properly sanitize and encode user-input data during the import process, allowing malicious JavaScript payloads to be persistently stored in the database. When other users view the imported passwords, the payload is automatically executed in their browsers, resulting in a stored XSS condition at the endpoint 'redacted/index.php?page=items'. Exploiting this vulnerability allows an attacker to execute arbitrary JavaScript code in the context of multiple users and the administrator, which can lead to session hijacking, credential theft, privilege abuse, and compromise of application integrity.
Title Multiple vulnerabilities in Teampass
First Time appeared Teampass
Teampass teampass
Weaknesses CWE-79
CPEs cpe:2.3:a:teampass:teampass:*:*:*:*:*:*:*:*
cpe:2.3:a:teampass:teampass:3.1.5.24:*:*:*:*:*:*:*
Vendors & Products Teampass
Teampass teampass
References
Metrics cvssV4_0

{'score': 9.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Teampass Teampass
cve-icon MITRE

Status: PUBLISHED

Assigner: INCIBE

Published:

Updated: 2026-03-31T18:04:08.704Z

Reserved: 2026-02-24T10:44:57.448Z

Link: CVE-2026-3107

cve-icon Vulnrichment

Updated: 2026-03-31T15:00:25.745Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-31T09:16:22.860

Modified: 2026-04-07T15:36:22.963

Link: CVE-2026-3107

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-31T20:39:17Z

Weaknesses