Description
A reflected cross-site scripting (XSS) vulnerability exists in diskover-community <= 2.3.5 in public/view.php via the doctype parameter
Published: 2026-04-27
Score: 6.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Cross‑Site Scripting (XSS)
Action: Patch Now
AI Analysis

Impact

A reflected cross‑site scripting vulnerability (CWE‑79) exists in diskover-community versions 2.3.5 and earlier. The flaw allows an attacker to inject and execute arbitrary client‑side script when a user accesses the affected public/view.php page with a crafted \"doctype\" parameter. This can enable malicious scripts to run in the victim’s browser in the context of the web application.

Affected Systems

Disclosed versions of diskover-community up to and including 2.3.5 are affected. No other vendor or product information is available from the advisory.

Risk and Exploitability

The CVSS score of 6.1 indicates a moderate risk. The EPSS score is not available, so exploitation probability is uncertain. The vulnerability is not listed in CISA’s KEV catalog. Exploitation requires a user to visit a URL that includes a malicious doctype value, which then reflects the payload back to the browser. No server‑side code execution or escalated privileges are granted by this flaw.

Generated by OpenCVE AI on April 28, 2026 at 13:19 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest patch of diskover-community, upgrading to a version newer than 2.3.5 to eliminate the reflected XSS flaw.
  • If immediate patching is unavailable, modify public/view.php to properly escape or encode the doctype parameter before it is included in any HTML output.
  • Deploy a web application firewall or similar filtering rules to detect and block suspicious XSS payloads targeting the doctype parameter in incoming requests.

Generated by OpenCVE AI on April 28, 2026 at 13:19 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 28 Apr 2026 13:45:00 +0000

Type Values Removed Values Added
Title Reflected XSS Vulnerability in diskover‑community Public View Page

Tue, 28 Apr 2026 09:45:00 +0000

Type Values Removed Values Added
First Time appeared Diskoverdata
Diskoverdata diskover
Vendors & Products Diskoverdata
Diskoverdata diskover

Mon, 27 Apr 2026 18:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-79
Metrics cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 27 Apr 2026 17:15:00 +0000

Type Values Removed Values Added
Description A reflected cross-site scripting (XSS) vulnerability exists in diskover-community <= 2.3.5 in public/view.php via the doctype parameter
References

Subscriptions

Diskoverdata Diskover
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-04-27T17:46:35.171Z

Reserved: 2026-04-06T00:00:00.000Z

Link: CVE-2026-38935

cve-icon Vulnrichment

Updated: 2026-04-27T17:45:13.518Z

cve-icon NVD

Status : Deferred

Published: 2026-04-27T17:16:43.140

Modified: 2026-04-27T18:35:53.583

Link: CVE-2026-38935

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-28T13:30:32Z

Weaknesses