Description
Xibo is an open source digital signage platform with a web content management system and Windows display player software. Prior to 4.4.2, a vulnerability chain consisting of Stored XSS and Iframe Sandbox escape in the Xibo CMS allows users with DataSet permissions to use the Data Connector functionality to craft messages which escape the sandbox and facilitate XSS. Exploitation of the vulnerability is possible on behalf of an authorized user who has both of the following privileges, which are not granted to non-admins as standard: Include "Add DataSet" button to allow for additional DataSets to be created independently to Layouts Users should upgrade to version 4.4.2 which fixes this issue. Upgrading to a fixed version is necessary to remediate. Users unable to upgrade should revoke such privileges from users they do not trust.
Published: 2026-06-10
Score: 7.6 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Xibo CMS prior to version 4.4.2 contains a vulnerability chain that combines stored XSS and an iframe sandbox escape. By using the Data Connector feature in a DataSet, an authenticated user with DataSet permissions can inject a malicious script that breaks out of the iframe sandbox, enabling the payload to run with the context of the CMS and access sensitive information or perform malicious actions. This flaw is an example of unvalidated user input leading to XSS (CWE‑79) and improper output encoding (CWE‑116), and the ability to bypass sandbox restrictions (CWE‑346).

Affected Systems

Affected systems are installations of the Xibo Signage CMS with versions older than 4.4.2. Privileged users who have been granted the ability to add new DataSets via the "Add DataSet" button are able to exploit the flaw. Non‑admin users normally do not receive this permission unless it has been explicitly granted.

Risk and Exploitability

The CVSS score of 7.6 classifies this vulnerability as high severity. The EPSS score is not available, and the vulnerability is not listed in the CISA KEV catalog. Exploitation requires authenticated access to the CMS with DataSet creation privileges; the attacker can inject a payload through the Data Connector interface, escape the sandbox and run arbitrary JavaScript. While the exact probability of exploitation is unknown, the high impact and the need for privileged access make the risk significant for organisations that have granted DataSet permissions to many users.

Generated by OpenCVE AI on June 10, 2026 at 23:27 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Xibo CMS to version 4.4.2 or newer to apply the vendor fix.
  • Revoke the "Add DataSet" permission from users who should not have the ability to create DataSets, thereby preventing the exploitation path for untrusted accounts.
  • Review and delete any existing DataSets that contain unvalidated scripts or connector scripts, and audit new DataSets for malicious content.
  • Monitor CMS logs for unusual DataSet creation or connector usage to detect potential abuse.

Generated by OpenCVE AI on June 10, 2026 at 23:27 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 10 Jun 2026 22:30:00 +0000

Type Values Removed Values Added
Description Xibo is an open source digital signage platform with a web content management system and Windows display player software. Prior to 4.4.2, a vulnerability chain consisting of Stored XSS and Iframe Sandbox escape in the Xibo CMS allows users with DataSet permissions to use the Data Connector functionality to craft messages which escape the sandbox and facilitate XSS. Exploitation of the vulnerability is possible on behalf of an authorized user who has both of the following privileges, which are not granted to non-admins as standard: Include "Add DataSet" button to allow for additional DataSets to be created independently to Layouts Users should upgrade to version 4.4.2 which fixes this issue. Upgrading to a fixed version is necessary to remediate. Users unable to upgrade should revoke such privileges from users they do not trust.
Title Xibo Vulnerable to Stored XSS and Iframe Sandbox Escape via Data Connector Script in DataSet
Weaknesses CWE-116
CWE-346
CWE-79
References
Metrics cvssV3_1

{'score': 7.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-10T21:39:09.547Z

Reserved: 2026-04-28T16:56:50.192Z

Link: CVE-2026-42558

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-06-10T23:16:46.263

Modified: 2026-06-10T23:16:46.263

Link: CVE-2026-42558

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-10T23:30:44Z

Weaknesses