CVE-2026-5332 - Vulnerability Details

- Xiaopi Panel WAF Firewall demo.php cross site scripting

Description

A vulnerability was identified in Xiaopi Panel 1.0.0. This vulnerability affects unknown code of the file /demo.php of the component WAF Firewall. The manipulation of the argument param leads to cross site scripting. Remote exploitation of the attack is possible. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way.

Published: 2026-04-02

Score: 5.1 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The flaw occurs in the /demo.php script of Xiaopi Panel 1.0.0 when the param argument is reflected without proper sanitization, allowing an attacker to inject arbitrary HTML or JavaScript. The injected code runs in the victim’s browser, which can enable credential theft, defacement, or the execution of other client‑side attacks. The vulnerability is a reflected XSS that is publicly documented and an exploit script is available.

Affected Systems

The affected product is Xiaopi Panel 1.0.0. All installations that expose the demo.php endpoint with the vulnerable param handling are impacted.

Risk and Exploitability

The CVSS score of 5.1 indicates moderate severity, and the EPSS score is below 1 %, reflecting a low likelihood of exploitation in the wild. The vulnerability is not listed in the CISA KEV catalog. Remote exploitation is possible by sending a crafted URL to a vulnerable host. Because the flaw is client‑side, it does not compromise the server directly, but it can lead to data theft or session hijacking when a user visits the affected page.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Xiaopi

Panel

affected

Version	Status	Constraints
`1.0.0`	affected	—

Configuration 1 [-]

cpe:2.3:a:xiaopi:panel:1.0.0:*:*:*:*:*:*:*

No data.

Vendor Product Confidence Versions

Xiaopi

Panel

100%

Version	Status	Scheme	Platform
`1.0.0`	affected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Apply any official patch or firmware update released by Xiaopi for Panel 1.0.0; if none, request a fix.
If the demo.php endpoint is not required, remove or restrict access to it using web‑server configuration or firewall rules.
Implement additional input validation or use an application‑level WAF to block reflected XSS attacks.
Monitor web logs for suspicious query strings containing script payloads and enforce security best‑practice controls.

Generated by OpenCVE AI on April 7, 2026 at 23:36 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Attack Requirements None

User Interaction Passive

Vulnerable System Confidentiality Impact None

Vulnerable System Integrity Impact Low

Vulnerable System Availability Impact None

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact None

User Interaction Required

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact None

User Interaction Required

Access Vector Network

Access Complexity Low

Authentication Single

Confidentiality Impact None

Integrity Impact Partial

Availability Impact None

This CVE is not in the KEV list.

The EPSS score is 0.00031.

Exploitation none

Automatable no

Technical Impact partial

References

Link	Providers
https://github.com/ltranquility/vuln_submit/issues/1
https://vuldb.com/submit/780839
https://vuldb.com/vuln/354666
https://vuldb.com/vuln/354666/cti

History

Tue, 07 Apr 2026 20:45:00 +0000

Type	Values Removed	Values Added
CPEs		cpe:2.3:a:xiaopi:panel:1.0.0:::::::*

Fri, 03 Apr 2026 20:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Thu, 02 Apr 2026 20:30:00 +0000

Type	Values Removed	Values Added
First Time appeared		Xiaopi Xiaopi panel
Vendors & Products		Xiaopi Xiaopi panel

Thu, 02 Apr 2026 13:45:00 +0000

Type	Values Removed	Values Added
Description		A vulnerability was identified in Xiaopi Panel 1.0.0. This vulnerability affects unknown code of the file /demo.php of the component WAF Firewall. The manipulation of the argument param leads to cross site scripting. Remote exploitation of the attack is possible. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way.
Title		Xiaopi Panel WAF Firewall demo.php cross site scripting
Weaknesses		CWE-79 CWE-94
References		https://github.com/ltranquility/vuln_submit/issues/1 https://vuldb.com/submit/780839 https://vuldb.com/vuln/354666 https://vuldb.com/vuln/354666/cti
Metrics		cvssV2_0 `{'score': 4, 'vector': 'AV:N/AC:L/Au:S/C:N/I:P/A:N/E:POC/RL:ND/RC:UR'}` cvssV3_0 `{'score': 3.5, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R'}` cvssV3_1 `{'score': 3.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R'}` cvssV4_0 `{'score': 5.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P'}`

Subscriptions

Xiaopi Panel

MITRE

Status: PUBLISHED

Assigner: VulDB

Published: 2026-04-02T13:15:11.183Z

Updated: 2026-04-03T19:52:05.065Z

Reserved: 2026-04-01T13:57:58.665Z

Link: CVE-2026-5332

Vulnrichment

Updated: 2026-04-03T19:51:56.472Z

NVD

Status : Analyzed

Published: 2026-04-02T14:16:36.163

Modified: 2026-04-29T01:00:01.613

Link: CVE-2026-5332

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-08T19:56:35Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Attack Requirements None

User Interaction Passive

Vulnerable System Confidentiality Impact None

Vulnerable System Integrity Impact Low

Vulnerable System Availability Impact None

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact None

User Interaction Required

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact None

User Interaction Required

Access Vector Network

Access Complexity Low

Authentication Single

Confidentiality Impact None

Integrity Impact Partial

Availability Impact None

Exploitation none

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object