{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-4816", "assignerOrgId": "0cbda920-cd7f-484a-8e76-bf7f4b7f4516", "state": "PUBLISHED", "assignerShortName": "INCIBE", "dateReserved": "2026-03-25T13:28:15.555Z", "datePublished": "2026-03-25T13:31:47.952Z", "dateUpdated": "2026-03-25T14:56:58.775Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "0cbda920-cd7f-484a-8e76-bf7f4b7f4516", "shortName": "INCIBE", "dateUpdated": "2026-03-25T13:34:12.054Z"}, "title": "Reflected Cross Site Scripting (XSS) vulnerability in Support Board", "datePublic": "2026-03-09T11:00:00.000Z", "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-79", "description": "CWE-79 Improper neutralization of input during web page generation ('cross-site scripting')", "type": "CWE"}]}], "affected": [{"vendor": "Schiocco", "product": "Support Board", "versions": [{"status": "affected", "version": "0", "lessThanOrEqual": "3.7.7", "versionType": "custom"}, {"status": "unaffected", "version": "3.7.8"}], "defaultStatus": "unaffected"}], "cpeApplicability": [{"operator": "OR", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:schiocco:support_board:*:*:*:*:*:*:*:*", "versionStartIncluding": "0", "versionEndIncluding": "3.7.7"}, {"vulnerable": false, "criteria": "cpe:2.3:a:schiocco:support_board:3.7.8:*:*:*:*:*:*:*"}]}]}], "descriptions": [{"lang": "en", "value": "A Reflected Cross Site Scripting (XSS) vulnerability has been found in Support Board v3.7.7. This vulnerability allows an attacker to execute JavaScript code in the victim's browser by sending the victim a malicious URL using the 'search' parameter in '/supportboard/include/articles.php'. This vulnerability can be exploited to steal sensitive user data, such as session cookies, or to perform actions on behalf of the user.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "A Reflected Cross Site Scripting (XSS) vulnerability has been found in Support Board v3.7.7. This vulnerability allows an attacker to execute JavaScript code in the victim's browser by sending the victim a malicious URL using the 'search' parameter in '/supportboard/include/articles.php'. This vulnerability can be exploited to steal sensitive user data, such as session cookies, or to perform actions on behalf of the user."}]}], "references": [{"url": "https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-support-board-schiocco", "tags": ["patch"]}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "ACTIVE", "vulnConfidentialityImpact": "NONE", "subConfidentialityImpact": "LOW", "vulnIntegrityImpact": "NONE", "subIntegrityImpact": "LOW", "vulnAvailabilityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "version": "4.0", "baseSeverity": "MEDIUM", "baseScore": 4.8, "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N"}}], "solutions": [{"lang": "en", "value": "The vulnerability has been fixed by Schiocco team in version 3.7.8, released on February 2025.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "The vulnerability has been fixed by Schiocco team in version 3.7.8, released on February 2025."}]}], "source": {"defect": ["Gonzalo Aguilar Garc\u00eda (6h4ack)"], "discovery": "EXTERNAL"}, "x_generator": {"engine": "Vulnogram 1.0.1"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-25T14:56:50.675668Z", "id": "CVE-2026-4816", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-25T14:56:58.775Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-4816", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-25T14:56:50.675668Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-25T14:56:55.077Z"}}], "cna": {"title": "Reflected Cross Site Scripting (XSS) vulnerability in Support Board", "source": {"defect": ["Gonzalo Aguilar Garc\u00eda (6h4ack)"], "discovery": "EXTERNAL"}, "metrics": [{"format": "CVSS", "cvssV4_0": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 4.8, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "ACTIVE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "subIntegrityImpact": "LOW", "vulnIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "LOW", "vulnConfidentialityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Schiocco", "product": "Support Board", "versions": [{"status": "affected", "version": "0", "versionType": "custom", "lessThanOrEqual": "3.7.7"}, {"status": "unaffected", "version": "3.7.8"}], "defaultStatus": "unaffected"}], "solutions": [{"lang": "en", "value": "The vulnerability has been fixed by Schiocco team in version 3.7.8, released on February 2025.", "supportingMedia": [{"type": "text/html", "value": "The vulnerability has been fixed by Schiocco team in version 3.7.8, released on February 2025.", "base64": false}]}], "datePublic": "2026-03-09T11:00:00.000Z", "references": [{"url": "https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-support-board-schiocco", "tags": ["patch"]}], "x_generator": {"engine": "Vulnogram 1.0.1"}, "descriptions": [{"lang": "en", "value": "A Reflected Cross Site Scripting (XSS) vulnerability has been found in Support Board v3.7.7. This vulnerability allows an attacker to execute JavaScript code in the victim's browser by sending the victim a malicious URL using the 'search' parameter in '/supportboard/include/articles.php'. This vulnerability can be exploited to steal sensitive user data, such as session cookies, or to perform actions on behalf of the user.", "supportingMedia": [{"type": "text/html", "value": "A Reflected Cross Site Scripting (XSS) vulnerability has been found in Support Board v3.7.7. This vulnerability allows an attacker to execute JavaScript code in the victim's browser by sending the victim a malicious URL using the 'search' parameter in '/supportboard/include/articles.php'. This vulnerability can be exploited to steal sensitive user data, such as session cookies, or to perform actions on behalf of the user.", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79 Improper neutralization of input during web page generation ('cross-site scripting')"}]}], "cpeApplicability": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:schiocco:support_board:*:*:*:*:*:*:*:*", "vulnerable": true, "versionEndIncluding": "3.7.7", "versionStartIncluding": "0"}, {"criteria": "cpe:2.3:a:schiocco:support_board:3.7.8:*:*:*:*:*:*:*", "vulnerable": false}], "operator": "OR"}], "operator": "OR"}], "providerMetadata": {"orgId": "0cbda920-cd7f-484a-8e76-bf7f4b7f4516", "shortName": "INCIBE", "dateUpdated": "2026-03-25T13:34:12.054Z"}}}, "cveMetadata": {"cveId": "CVE-2026-4816", "state": "PUBLISHED", "dateUpdated": "2026-03-25T14:56:58.775Z", "dateReserved": "2026-03-25T13:28:15.555Z", "assignerOrgId": "0cbda920-cd7f-484a-8e76-bf7f4b7f4516", "datePublished": "2026-03-25T13:31:47.952Z", "assignerShortName": "INCIBE"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:schiocco:support_board:*:*:*:*:*:wordpress:*:*", "matchCriteriaId": "47462996-66AF-40DF-ABE4-A0150B509FEB", "versionEndExcluding": "3.7.8", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "A Reflected Cross Site Scripting (XSS) vulnerability has been found in Support Board v3.7.7. This vulnerability allows an attacker to execute JavaScript code in the victim's browser by sending the victim a malicious URL using the 'search' parameter in '/supportboard/include/articles.php'. This vulnerability can be exploited to steal sensitive user data, such as session cookies, or to perform actions on behalf of the user."}], "id": "CVE-2026-4816", "lastModified": "2026-03-26T14:53:28.623", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.3, "impactScore": 2.7, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 4.8, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "LOW", "subIntegrityImpact": "LOW", "userInteraction": "ACTIVE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "cve-coordination@incibe.es", "type": "Secondary"}]}, "published": "2026-03-25T14:16:40.300", "references": [{"source": "cve-coordination@incibe.es", "tags": ["Third Party Advisory"], "url": "https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-support-board-schiocco"}], "sourceIdentifier": "cve-coordination@incibe.es", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "cve-coordination@incibe.es", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,3.7.7]"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "3.7.8"}}], "enrichment": {"confidence": 95.0, "confidence_source": "inferred", "scores": [{"score": 95.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "Support Board", "source": "cna", "vendor": "Schiocco"}, "product": "support_board", "vendor": "schiocco"}], "analysis": {"en": {"generated_at": "2026-03-25T15:22:09.937982+00:00", "value": {"mitigation_remediation": ["Update to Support Board version 3.7.8 or later, which contains a patch that neutralizes the reflected XSS flaw."], "summary": {"action": "Immediate Patch", "impact": "Client-side XSS"}, "threat_synthesis": {"affected_systems": "The vulnerability affects version 3.7.7 of Schiocco Support Board. All installations of this version or earlier that expose the 'search' parameter are susceptible. The Schiocco team has released a fix in version 3.7.8, which supersedes the vulnerable versions.", "description_and_impact": "A reflected cross\u2011site scripting vulnerability exists in Support Board that allows an attacker to inject and execute arbitrary JavaScript code in a victim\u2019s browser by including malicious payloads in the 'search' parameter of /supportboard/include/articles.php. This flaw, categorized as CWE\u201179, can be used to steal sensitive information such as session cookies, and can enable the attacker to perform actions on behalf of the user, effectively manipulating the user\u2019s authenticated session.", "risk_and_exploitability": "The CVSS score of 4.8 indicates a moderate impact, and the vulnerability is exploitable via a crafted HTTP URL that a victim may click on or encounter in a link. No authentication or privilege escalation is required; the attack succeeds simply by tricking a user into loading the crafted page. The EPSS score is not available and the vulnerability is not listed in the CISA KEV catalog, but the web\u2011based nature of the flaw makes exploitation relatively straightforward if an attacker can distribute malicious URLs. The overall risk is moderate, with potential for session hijacking and unauthorized actions."}}}}, "created": "2026-03-25T21:31:12.364483+00:00", "updated": "2026-03-26T11:43:09.861446+00:00", "vendors": ["schiocco", "schiocco$PRODUCT$support_board"]}