Description
Stored Cross Site Scripting in NightWolf Penetration Testing Platform allows attack trigger and run malicious script in user's browser
Published: 2026-04-13
Score: 6.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Stored Cross Site Scripting
Action: Patch Immediately
AI Analysis

Impact

The NightWolf Penetration Testing Platform is vulnerable to stored cross‑site scripting. This weakness allows an attacker to insert malicious script into data fields stored within the platform. When a legitimate user views the affected content, the script executes in the user's browser, enabling the attacker to steal session cookies, hijack user sessions, deface the interface, or perform other client‑side actions. The vulnerability results from unsanitized input leading to improper encoding of output.

Affected Systems

The vulnerability affects the NightWolf Penetration Testing Platform developed by FPT Software. The advisory does not list specific versions, so any deployment of the platform that accepts user input and subsequently displays that data to users is potentially impacted.

Risk and Exploitability

The CVSS score of 6.3 indicates moderate severity, reflecting a medium base score that balances the likelihood of exploitation with the potential impact on confidentiality, integrity, and availability. Because an EPSS score is unavailable, the precise exploitation probability remains uncertain. The vulnerability is not cataloged in CISA’s KEV list, suggesting no known active exploitation. The attack vector typically involves an attacker submitting malicious payload into a stored field; the attacker must possess sufficient privileges to create or edit that data, and subsequent users who view the data will become victims.

Generated by OpenCVE AI on April 13, 2026 at 03:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Check the vendor’s advisory page for a patch that addresses the stored XSS issue and apply it immediately.
  • If a patch is not yet available, enforce strict input validation and output encoding for all fields that accept user data before rendering it in the browser.
  • Restrict or revoke permissions for users who can create or modify data that appears on public or shared interfaces, thereby limiting the attack surface.
  • Configure web application firewalls to detect and block common XSS payloads and monitor logs for signs of unexpected script execution or unauthorized data changes.

Generated by OpenCVE AI on April 13, 2026 at 03:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 13 Apr 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Mon, 13 Apr 2026 13:00:00 +0000

Type Values Removed Values Added
First Time appeared Fpt Software
Fpt Software nightwolf Penetration Testing Platform
Vendors & Products Fpt Software
Fpt Software nightwolf Penetration Testing Platform

Mon, 13 Apr 2026 02:45:00 +0000

Type Values Removed Values Added
Description Stored Cross Site Scripting in NightWolf Penetration Testing Platform allows attack trigger and run malicious script in user's browser
Title Stored Cross Site Scripting in NightWolf Penetration Testing Platform
Weaknesses CWE-79
References
Metrics cvssV4_0

{'score': 6.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:H/SI:N/SA:N'}


Subscriptions

Fpt Software Nightwolf Penetration Testing Platform
cve-icon MITRE

Status: PUBLISHED

Assigner: FSOFT

Published:

Updated: 2026-04-13T18:06:17.801Z

Reserved: 2026-04-13T02:18:11.562Z

Link: CVE-2026-6179

cve-icon Vulnrichment

Updated: 2026-04-13T17:58:00.719Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-04-13T03:16:03.297

Modified: 2026-06-17T11:00:26.323

Link: CVE-2026-6179

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-13T12:53:39Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')