Description
A Stored Cross-Site Scripting vulnerability in Vinna Process Monitor Version 4.0 Service Pack 1 (Build 63255) allows an authenticated remote attacker with low privileges to inject malicious JavaScript code into the application. This enables attackers to steal administrative access tokens and session credentials.
Published: 2026-06-09
Score: 9.3 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

An authenticated user with low privileges can inject arbitrary JavaScript that is stored by Vinna Process Monitor and later served to other users. The persisted script can read the victim’s session cookie and other sensitive information, enabling the attacker to obtain administrative credentials and take over the application.

Affected Systems

Skilja GmbH’s Vinna Process Monitor, version 4.0 Service Pack 1 (Build 63255). No other versions or vendors are listed as affected in this advisory.

Risk and Exploitability

The CVSS score of 9.3 signals a critical risk. Although the EPSS score is not provided, the flaw requires only legitimate credentials that are readily available to many users, making the attack path relatively easy. The vulnerability is not listed in the CISA KEV catalog, indicating no publicly disclosed exploits yet, but the stored‑XSS nature means an attacker who authenticates can persist malicious code and exfiltrate tokens at any time. The likely attack vector is the web interface where the attacker submits malicious content that is later rendered to other users.

Generated by OpenCVE AI on June 9, 2026 at 11:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to a patched build of Vinna Process Monitor (if one is available from Skilja).
  • Limit access to the web interface to trusted administrators and require multi‑factor authentication for any privileged accounts.
  • Enforce strict input validation and HTML output encoding on all user‑controlled fields to prevent injection of executable scripts.

Generated by OpenCVE AI on June 9, 2026 at 11:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 09 Jun 2026 14:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 09 Jun 2026 10:15:00 +0000

Type Values Removed Values Added
Description A Stored Cross-Site Scripting vulnerability in Vinna Process Monitor Version 4.0 Service Pack 1 (Build 63255) allows an authenticated remote attacker with low privileges to inject malicious JavaScript code into the application. This enables attackers to steal administrative access tokens and session credentials.
Title A Stored Cross-Site Scripting (XSS) vulnerability occurs in Vinna Process Monitor
First Time appeared Skilja Gmbh
Skilja Gmbh vinna Process Monitor
Weaknesses CWE-79
CPEs cpe:2.3:a:skilja_gmbh:vinna_process_monitor:*:*:*:*:*:*:*:*
Vendors & Products Skilja Gmbh
Skilja Gmbh vinna Process Monitor
References
Metrics cvssV3_1

{'score': 8.7, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N'}

cvssV4_0

{'score': 9.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:N/SC:H/SI:H/SA:H'}

Subscriptions

Skilja Gmbh Vinna Process Monitor
cve-icon MITRE

Status: PUBLISHED

Assigner: CERTVDE

Published:

Updated: 2026-06-09T14:07:12.202Z

Reserved: 2026-04-16T06:00:17.599Z

Link: CVE-2026-41031

cve-icon Vulnrichment

Updated: 2026-06-09T14:06:21.344Z

cve-icon NVD

Status : Deferred

Published: 2026-06-09T10:16:43.850

Modified: 2026-06-09T13:57:49.980

Link: CVE-2026-41031

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-09T20:15:06Z

Weaknesses