Description
Multiple cross-site scripting (XSS) vulnerabilities in PaperCut NG/MF before 25.0.10 allow authenticated administrator users to inject arbitrary web script or HTML code via different UI fields. This could be used to compromise other admininistrator's sessions or perform unauthorized actions via the administrator's authenticated context (e.g. requires an active login session).
Published: 2026-03-31
Score: 2.1 Low
EPSS: < 1% Very Low
KEV: No
Impact: Cross‑Site Scripting that enables session hijacking and unauthorized actions for authenticated administrators
Action: Patch Now
AI Analysis

Impact

Multiple cross‑site scripting (XSS) flaws exist in the management interface of PaperCut NG and PaperCut MF prior to version 25.0.10. These bugs allow an authenticated administrator to inject arbitrary JavaScript or HTML into various input fields, and the injected code runs in the context of other administrator sessions. The attacker can hijack sessions, deface the interface, or perform actions normally restricted to administrative privileges.

Affected Systems

Users of PaperCut NG and PaperCut MF who are running any release before 25.0.10 are vulnerable. The flaws appear in UI fields where administrators can enter scripts or markup and affect only users with administrative rights; guest or normal users are not impacted.

Risk and Exploitability

The overall risk is low, with a CVSS score of 2.1 and an EPSS below 1%, and the vulnerability is not listed in CISA’s KEV catalog. Nevertheless, because it requires an active administrator session, attackers who compromise or socially engineer an admin account could gain additional control over the system. No public exploits have been reported, but the attack path is straightforward once an admin account is compromised.

Generated by OpenCVE AI on April 3, 2026 at 21:28 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade PaperCut NG and PaperCut MF to version 25.0.10 or later
  • If an immediate upgrade is not possible, restrict or disable the UI fields that accept user input to prevent injection, or apply a content security policy to mitigate XSS
  • Verify that your system is running a patched version and monitor logs for suspicious scripts or unauthorized admin actions
  • Stay updated with vendor advisories for any additional fixes or guidance

Generated by OpenCVE AI on April 3, 2026 at 21:28 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 03 Apr 2026 19:00:00 +0000

Type Values Removed Values Added
First Time appeared Papercut papercut Ng
CPEs cpe:2.3:a:papercut:papercut_mf:*:*:*:*:*:*:*:*
cpe:2.3:a:papercut:papercut_ng:*:*:*:*:*:*:*:*
Vendors & Products Papercut papercut Ng
Metrics cvssV3_1

{'score': 4.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N'}

Fri, 03 Apr 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Papercut
Papercut papercut Mf
Vendors & Products Papercut
Papercut papercut Mf

Tue, 31 Mar 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 31 Mar 2026 03:00:00 +0000

Type Values Removed Values Added
Description Multiple cross-site scripting (XSS) vulnerabilities in PaperCut NG/MF before 25.0.10 allow authenticated administrator users to inject arbitrary web script or HTML code via different UI fields. This could be used to compromise other admininistrator's sessions or perform unauthorized actions via the administrator's authenticated context (e.g. requires an active login session).
Title Multiple cross-site scripting (XSS) vulnerabilities in PaperCut NG/MF
Weaknesses CWE-79
References
Metrics cvssV4_0

{'score': 2.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N'}

Subscriptions

Papercut Papercut Mf Papercut Ng
cve-icon MITRE

Status: PUBLISHED

Assigner: PaperCut

Published:

Updated: 2026-03-31T14:03:59.735Z

Reserved: 2026-03-25T00:52:13.130Z

Link: CVE-2026-4794

cve-icon Vulnrichment

Updated: 2026-03-31T14:03:56.164Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-31T01:16:36.743

Modified: 2026-04-03T18:15:05.340

Link: CVE-2026-4794

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-07T08:08:19Z

Weaknesses