Description
Authenticated Iframe Injection in Dato CMS Web Previews plugin. This vulnerability permits a malicious authenticated user to circumvent the restriction enforced on the configured frontend URL, enabling the loading of arbitrary external resources or origins. This issue affects Web Previews < v1.0.31.
Published: 2026-02-27
Score: 4.8 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Authenticated Iframe Injection
Action: Apply Update
AI Analysis

Impact

An authenticated user can bypass the restriction on the configured frontend URL in the DatoCMS Web Previews plugin, allowing the loading of arbitrary external resources or origins within iframes. This capability enables the presentation of content that may appear to originate from the trusted site. Based on the vulnerability’s functionality, it is inferred that an attacker could host malicious content that appears to come from the original site.

Affected Systems

The affected product is the DatoCMS Web Previews plugin, any version preceding the 1.0.31 release. Users who have configured the plugin with a frontend URL are susceptible, and the vulnerability is specific to the DatoCMS environment.

Risk and Exploitability

The CVSS score is 4.8, and the EPSS score is less than 1 %. The vulnerability is not listed in the CISA KEV catalog. Exploitation requires valid credentials; therefore the attack surface is limited to authenticated staff or contributors. While the probability of exploitation is low, once authenticated, an attacker can insert arbitrary iframe content that may undermine user trust.

Generated by OpenCVE AI on April 18, 2026 at 10:15 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the DatoCMS Web Previews plugin to version 1.0.31 or later.
  • Implement a content‑security‑policy that restricts iframe sources to trusted origins.
  • Disable or restrict the Web Previews feature for users who do not require it.

Generated by OpenCVE AI on April 18, 2026 at 10:15 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 02 Mar 2026 12:15:00 +0000

Type Values Removed Values Added
First Time appeared Datocms
Datocms web Previews
Vendors & Products Datocms
Datocms web Previews

Fri, 27 Feb 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 27 Feb 2026 14:30:00 +0000

Type Values Removed Values Added
Description Authenticated Iframe Injection in Dato CMS Web Previews plugin. This vulnerability permits a malicious authenticated user to circumvent the restriction enforced on the configured frontend URL, enabling the loading of arbitrary external resources or origins. This issue affects Web Previews < v1.0.31.
Title Authenticated DatoCMS Web Previews Plugin Iframe Injection
Weaknesses CWE-79
References
Metrics cvssV4_0

{'score': 4.8, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Datocms Web Previews
cve-icon MITRE

Status: PUBLISHED

Assigner: Intigriti

Published:

Updated: 2026-02-27T18:44:26.847Z

Reserved: 2026-02-27T14:08:55.710Z

Link: CVE-2026-3327

cve-icon Vulnrichment

Updated: 2026-02-27T18:44:23.512Z

cve-icon NVD

Status : Deferred

Published: 2026-02-27T15:16:30.950

Modified: 2026-04-15T00:35:42.020

Link: CVE-2026-3327

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T10:15:25Z

Weaknesses