Description
A reflected cross-site scripting (XSS) vulnerability exists in diskover-community <= 2.3.5 in public/selectindices.php via the namecontains parameter
Published: 2026-04-27
Score: 6.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Reflected Cross‑Site Scripting
Action: Apply Update
AI Analysis

Impact

The vulnerability is a reflected cross‑site scripting flaw in the namecontains parameter of diskover‑community's public/selectindices.php page. An attacker can embed arbitrary JavaScript that is executed in the victim's browser when the user accesses a crafted URL. The flaw is limited to client‑side code execution and is associated with CWE‑79.

Affected Systems

Any deployment of diskover‑community version 2.3.5 or earlier is affected. No additional vendor or product information is specified.

Risk and Exploitability

The CVSS score of 6.1 indicates moderate severity. EPSS is not available and the vulnerability is not listed in the CISA KEV catalog, implying rare exploitation. Exploitation requires an attacker to supply malicious input via the namecontains parameter and persuade a user to visit the URL, so the primary vector is unauthenticated web traffic. It does not provide remote code execution or privilege escalation on the server.

Generated by OpenCVE AI on April 28, 2026 at 13:19 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade diskover‑community to a version newer than 2.3.5 that includes input sanitization for the namecontains parameter.
  • If an upgrade is not possible, modify the application to encode or otherwise filter the namecontains input before echoing it to the page to eliminate XSS.
  • Restrict or require authentication for access to public/selectindices.php to reduce exposure to unauthenticated users.
  • Deploy a web application firewall or similar filtering mechanism to detect and block reflected XSS payloads.

Generated by OpenCVE AI on April 28, 2026 at 13:19 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 28 Apr 2026 13:45:00 +0000

Type Values Removed Values Added
Title Reflected XSS via namecontains Parameter in diskover‑community Public SelectIndices

Tue, 28 Apr 2026 09:45:00 +0000

Type Values Removed Values Added
First Time appeared Diskoverdata
Diskoverdata diskover
Vendors & Products Diskoverdata
Diskoverdata diskover

Mon, 27 Apr 2026 18:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-79
Metrics cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 27 Apr 2026 17:15:00 +0000

Type Values Removed Values Added
Description A reflected cross-site scripting (XSS) vulnerability exists in diskover-community <= 2.3.5 in public/selectindices.php via the namecontains parameter
References

Subscriptions

Diskoverdata Diskover
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-04-27T17:45:55.506Z

Reserved: 2026-04-06T00:00:00.000Z

Link: CVE-2026-38936

cve-icon Vulnrichment

Updated: 2026-04-27T17:43:33.067Z

cve-icon NVD

Status : Deferred

Published: 2026-04-27T17:16:43.250

Modified: 2026-04-27T18:35:53.583

Link: CVE-2026-38936

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-28T13:30:32Z

Weaknesses