Description
A stored cross-site scripting (XSS) vulnerability in Bynder v0.1.394 allows attackers to execute arbitrary web scripts or HTML via a crafted payload.
Published: 2026-04-06
Score: 5.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Client-side arbitrary script execution via stored XSS
Action: Immediate Patch
AI Analysis

Impact

The vulnerability is a stored cross‑site scripting flaw in Bynder version 0.1.394. Attackers can inject HTML or JavaScript that is retained in the application and later served to users. When an affected user views the compromised content, the injected code executes within the victim’s browser, allowing the attacker to steal credentials, deface the site, or perform other client‑side attacks. This weakness is classified as CWE‑79.

Affected Systems

This flaw affects the Bynder web application at version 0.1.394. No other versions or vendors are listed in the CNA data. Users running this specific build are at risk.

Risk and Exploitability

The CVSS score of 5.4 indicates moderate severity. Exploit potential is unclear due to missing EPSS data, but the vulnerability was publicly disclosed, suggesting the risk of exploitation is non‑negligible. The issue is not yet catalogued in CISA’s KEV list, but the stored nature of the payload means that an attacker could trigger it via legitimate user interactions, making it potentially effective against unsuspecting users. The attack vector is inferred to be through the application’s content management interface, requiring user authentication and content delivery to the victim’s browser.

Generated by OpenCVE AI on April 6, 2026 at 17:24 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest Bynder patch that removes the XSS flaw by upgrading to any version newer than 0.1.394
  • If an immediate upgrade is not possible, disable or restrict the interface components that allow content injection until a patch is applied
  • Implement a robust Content Security Policy (CSP) to block execution of injected scripts
  • Sanitize or validate all user‑supplied input before storing it in the system

Generated by OpenCVE AI on April 6, 2026 at 17:24 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 07 Apr 2026 00:00:00 +0000

Type Values Removed Values Added
Title Stored XSS in Bynder v0.1.394 Enables Arbitrary Web Script Execution
First Time appeared Bynder
Bynder bynder
Vendors & Products Bynder
Bynder bynder

Mon, 06 Apr 2026 15:30:00 +0000

Type Values Removed Values Added
Description A stored cross-site scripting (XSS) vulnerability in Bynder v0.1.394 allows attackers to execute arbitrary web scripts or HTML via a crafted payload.
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Subscriptions

Bynder Bynder
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-04-06T15:04:40.772Z

Reserved: 2026-03-09T00:00:00.000Z

Link: CVE-2026-31153

cve-icon Vulnrichment

Updated: 2026-04-06T15:04:20.929Z

cve-icon NVD

Status : Deferred

Published: 2026-04-06T15:17:09.670

Modified: 2026-04-16T16:15:56.380

Link: CVE-2026-31153

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-06T21:47:47Z

Weaknesses