Description
Xibo is an open source digital signage platform with a web content management system and Windows display player software. Prior to 4.4.1, an authenticated Server-Side Request Forgery (SSRF) vulnerability in the Xibo CMS allows users with Library upload permissions to make arbitrary HTTP requests from the CMS server to internal or external network resources. This can be exploited to scan internal infrastructure, access local cloud metadata endpoints (e.g., AWS IMDS), interact with internal services that lack authentication, or exfiltrate data. This vulnerability is fixed in 4.4.1.
Published: 2026-05-12
Score: 7.7 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability allows authorized users with Library upload permissions to exploit a server‑side request forgery in the upload‑by‑URL feature. Because the requests originate from the CMS server, an attacker can reach internal or external resources, scan network infrastructure, access cloud metadata endpoints, or read sensitive data from unprotected services. The potential impact includes exfiltration of internal data, compromise of services with missing authentication, and broader reconnaissance of the environment.

Affected Systems

Xibo CMS versions prior to 4.4.1 are affected. The product is the Xibo open‑source digital signage content management system distributed by xibosignage.

Risk and Exploitability

The CVSS score of 7.7 signals a moderate to high severity, and with no EPSS data available the exploitation probability is uncertain. The vulnerability is not listed in the CISA KEV catalog. Attackers would need authenticated CMS access with Library upload rights; the SSRF vector is internal to the CMS, making it relatively easy to exploit once access is obtained.

Generated by OpenCVE AI on May 12, 2026 at 19:49 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Xibo CMS to version 4.4.1 or later
  • Limit Library upload permissions to only trusted administrators
  • If upgrading is delayed, disable the upload‑by‑URL functionality in the CMS configuration or mitigate by restricting outbound network access from the CMS server

Generated by OpenCVE AI on May 12, 2026 at 19:49 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 13 May 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 13 May 2026 10:00:00 +0000

Type Values Removed Values Added
First Time appeared Xibosignage
Xibosignage xibo
Vendors & Products Xibosignage
Xibosignage xibo

Tue, 12 May 2026 17:30:00 +0000

Type Values Removed Values Added
Description Xibo is an open source digital signage platform with a web content management system and Windows display player software. Prior to 4.4.1, an authenticated Server-Side Request Forgery (SSRF) vulnerability in the Xibo CMS allows users with Library upload permissions to make arbitrary HTTP requests from the CMS server to internal or external network resources. This can be exploited to scan internal infrastructure, access local cloud metadata endpoints (e.g., AWS IMDS), interact with internal services that lack authentication, or exfiltrate data. This vulnerability is fixed in 4.4.1.
Title Xibo: Authenticated Server-Side Request Forgery (SSRF) in Library Upload via URL functionality
Weaknesses CWE-918
References
Metrics cvssV3_1

{'score': 7.7, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N'}

Subscriptions

Xibosignage Xibo
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-13T14:11:58.367Z

Reserved: 2026-04-24T17:15:21.834Z

Link: CVE-2026-42141

cve-icon Vulnrichment

Updated: 2026-05-13T14:11:52.056Z

cve-icon NVD

Status : Deferred

Published: 2026-05-12T18:17:23.920

Modified: 2026-05-13T15:43:05.440

Link: CVE-2026-42141

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-13T10:00:10Z

Weaknesses