Description
Xibo is an open source digital signage platform with a web content management system and Windows display player software. Versions 1.7 through 4.4.0 have an SQL injection vulnerability in the API routes inside the CMS responsible for Filtering DataSets. This allows an authenticated user to to obtain and modify arbitrary data from the Xibo database by injecting specially crafted values in to the API filter parameter. Exploitation of the vulnerability is possible on behalf of an authorized user who has either of the `Access to DataSet Feature` privilege or the `Access to the Layout Feature` privilege. Users should upgrade to version 4.4.1 which fixes this issue. Customers who host their CMS with Xibo Signage have been patched if they are using 4.4, 4.3, 3.3, 2.3 or 1.8. Upgrading to a fixed version is necessary to remediate. Patches are available for earlier versions of Xibo CMS that are out of support, namely 3.3, 2.3, and 1.8.
Published: 2026-04-24
Score: 7.6 High
EPSS: < 1% Very Low
KEV: No
Impact: Database compromise via SQL injection
Action: Apply patch
AI Analysis

Impact

The flaw is an SQL injection in the API route that processes dataset filters (CWE‑89) and involves arbitrary string manipulation (CWE‑184). An authenticated user who holds either the Access to DataSet Feature or the Access to the Layout Feature privilege can supply a crafted filter value that allows the attacker to read or modify arbitrary records in the Xibo database. This capability can be used to exfiltrate sensitive information or tamper with content displayed by the system.

Affected Systems

The vulnerability exists in the Xibo CMS product from the vendor Xibosignage. Versions 1.7 through 4.4.0 are affected. The issue is fixed in release 4.4.1; earlier unsupported releases such as 3.3, 2.3 and 1.8 have patch releases available.

Risk and Exploitability

The CVSS score of 7.6 indicates a severe impact, while the EPSS score of less than 1% suggests that exploit attempts are unlikely to occur at present. The vulnerability is not listed in the CISA KEV catalog. An attacker must be authenticated and possess the appropriate privileges to target the system, typically through the web API filtering endpoint. If such access is present, the exploit can be carried out without additional privileges or external exposure.

Generated by OpenCVE AI on April 28, 2026 at 14:30 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Xibo CMS to version 4.4.1 or later to eliminate the flaw.
  • Apply the available patch releases for earlier versions (3.3, 2.3, 1.8) if you are running an unsupported release.
  • Restrict the Access to DataSet and Access to Layout privileges to only trusted administrators.

Generated by OpenCVE AI on April 28, 2026 at 14:30 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 27 Apr 2026 14:45:00 +0000

Type Values Removed Values Added
First Time appeared Xibosignage
Xibosignage xibo
CPEs cpe:2.3:a:xibosignage:xibo:*:*:*:*:*:*:*:*
Vendors & Products Xibosignage
Xibosignage xibo

Fri, 24 Apr 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 24 Apr 2026 00:15:00 +0000

Type Values Removed Values Added
Description Xibo is an open source digital signage platform with a web content management system and Windows display player software. Versions 1.7 through 4.4.0 have an SQL injection vulnerability in the API routes inside the CMS responsible for Filtering DataSets. This allows an authenticated user to to obtain and modify arbitrary data from the Xibo database by injecting specially crafted values in to the API filter parameter. Exploitation of the vulnerability is possible on behalf of an authorized user who has either of the `Access to DataSet Feature` privilege or the `Access to the Layout Feature` privilege. Users should upgrade to version 4.4.1 which fixes this issue. Customers who host their CMS with Xibo Signage have been patched if they are using 4.4, 4.3, 3.3, 2.3 or 1.8. Upgrading to a fixed version is necessary to remediate. Patches are available for earlier versions of Xibo CMS that are out of support, namely 3.3, 2.3, and 1.8.
Title Xibo CMS API has SQL Injection via DataSet Filter Parameter
Weaknesses CWE-184
CWE-89
References
Metrics cvssV3_1

{'score': 7.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L'}

Subscriptions

Xibosignage Xibo
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-24T16:31:37.061Z

Reserved: 2026-03-10T15:10:10.657Z

Link: CVE-2026-31952

cve-icon Vulnrichment

Updated: 2026-04-24T16:31:34.002Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-24T00:16:27.780

Modified: 2026-04-27T14:33:15.200

Link: CVE-2026-31952

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-28T14:30:33Z

Weaknesses