Description
A Reflected Cross Site Scripting (XSS) vulnerability has been found in Support Board v3.7.7. This vulnerability allows an attacker to execute JavaScript code in the victim's browser by sending the victim a malicious URL using the 'search' parameter in '/supportboard/include/articles.php'. This vulnerability can be exploited to steal sensitive user data, such as session cookies, or to perform actions on behalf of the user.
Published: 2026-03-25
Score: 4.8 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Cross-site scripting that can steal session cookies and perform unauthorized actions
Action: Patch Immediately
AI Analysis

Impact

A reflected Cross‑Site Scripting flaw is present in Support Board 3.7.7. By placing malicious JavaScript in the 'search' parameter of '/supportboard/include/articles.php', an attacker can cause a victim’s browser to execute arbitrary code. This can lead to theft of session cookies, allowing account hijacking, or enable the attacker to perform actions on behalf of the user. The weakness is classified as CWE‑79.

Affected Systems

The vulnerability affects the Schiocco Support Board application, specifically the 3.7.7 release. The vendor has released an update, version 3.7.8, that addresses the issue. The component is also distributed as a WordPress plugin; the fix applies to plugin installations as well.

Risk and Exploitability

The CVSS score of 4.8 indicates a moderate severity, while the EPSS score of less than 1% suggests a low current likelihood of exploitation. The vulnerability is not listed in the CISA KEV catalog. Based on the description, the likely attack vector is a malicious URL sent to a victim, exposing the risk primarily to web traffic. Although exploitation probability is low, successful exploitation could result in session hijacking or unauthorized actions, which is of significant concern.

Generated by OpenCVE AI on March 26, 2026 at 17:44 UTC.

Remediation

Vendor Solution

The vulnerability has been fixed by Schiocco team in version 3.7.8, released on February 2025.

OpenCVE Recommended Actions

  • Upgrade Schiocco Support Board to version 3.7.8 or later

Generated by OpenCVE AI on March 26, 2026 at 17:44 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 26 Mar 2026 15:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:schiocco:support_board:*:*:*:*:*:wordpress:*:*
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N'}

Wed, 25 Mar 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 25 Mar 2026 14:00:00 +0000

Type Values Removed Values Added
Description A Reflected Cross Site Scripting (XSS) vulnerability has been found in Support Board v3.7.7. This vulnerability allows an attacker to execute JavaScript code in the victim's browser by sending the victim a malicious URL using the 'search' parameter in '/supportboard/include/articles.php'. This vulnerability can be exploited to steal sensitive user data, such as session cookies, or to perform actions on behalf of the user.
Title Reflected Cross Site Scripting (XSS) vulnerability in Support Board
First Time appeared Schiocco
Schiocco support Board
Weaknesses CWE-79
CPEs cpe:2.3:a:schiocco:support_board:*:*:*:*:*:*:*:*
cpe:2.3:a:schiocco:support_board:3.7.8:*:*:*:*:*:*:*
Vendors & Products Schiocco
Schiocco support Board
References
Metrics cvssV4_0

{'score': 4.8, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N'}

Subscriptions

Schiocco Support Board
cve-icon MITRE

Status: PUBLISHED

Assigner: INCIBE

Published:

Updated: 2026-03-25T14:56:58.775Z

Reserved: 2026-03-25T13:28:15.555Z

Link: CVE-2026-4816

cve-icon Vulnrichment

Updated: 2026-03-25T14:56:55.077Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-25T14:16:40.300

Modified: 2026-03-26T14:53:28.623

Link: CVE-2026-4816

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-27T09:47:11Z

Weaknesses