{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-23880", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-01-16T21:02:02.900Z", "datePublished": "2026-01-19T20:55:28.469Z", "dateUpdated": "2026-01-20T15:12:32.529Z"}, "containers": {"cna": {"title": "OnboardLite has stored Cross-site Scripting issue that may lead to admin Account Take Over", "problemTypes": [{"descriptions": [{"cweId": "CWE-20", "lang": "en", "description": "CWE-20: Improper Input Validation", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-79", "lang": "en", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-116", "lang": "en", "description": "CWE-116: Improper Encoding or Escaping of Output", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.3, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/HackUCF/OnboardLite/security/advisories/GHSA-93w8-83cg-h89g", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/HackUCF/OnboardLite/security/advisories/GHSA-93w8-83cg-h89g"}, {"name": "https://github.com/HackUCF/OnboardLite/commit/1d32081a66f21bcf41df1ecb672490b13f6e429f", "tags": ["x_refsource_MISC"], "url": "https://github.com/HackUCF/OnboardLite/commit/1d32081a66f21bcf41df1ecb672490b13f6e429f"}], "affected": [{"vendor": "HackUCF", "product": "OnboardLite", "versions": [{"version": "< 1d32081a66f21bcf41df1ecb672490b13f6e429f", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-01-19T20:55:28.469Z"}, "descriptions": [{"lang": "en", "value": "OnboardLite is a comprehensive membership lifecycle platform built for student organizations at the University of Central Florida. Versions of the software prior to commit 1d32081a66f21bcf41df1ecb672490b13f6e429f have a stored cross-site scripting vulnerability that can be rendered to an admin when they attempt to migrate a user's discord account in the dashboard. Commit 1d32081a66f21bcf41df1ecb672490b13f6e429f patches the issue."}], "source": {"advisory": "GHSA-93w8-83cg-h89g", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-01-20T15:12:18.083821Z", "id": "CVE-2026-23880", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-20T15:12:32.529Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-23880", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-01-20T15:12:18.083821Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-20T15:12:27.548Z"}}], "cna": {"title": "OnboardLite has stored Cross-site Scripting issue that may lead to admin Account Take Over", "source": {"advisory": "GHSA-93w8-83cg-h89g", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.3, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "HackUCF", "product": "OnboardLite", "versions": [{"status": "affected", "version": "< 1d32081a66f21bcf41df1ecb672490b13f6e429f"}]}], "references": [{"url": "https://github.com/HackUCF/OnboardLite/security/advisories/GHSA-93w8-83cg-h89g", "name": "https://github.com/HackUCF/OnboardLite/security/advisories/GHSA-93w8-83cg-h89g", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/HackUCF/OnboardLite/commit/1d32081a66f21bcf41df1ecb672490b13f6e429f", "name": "https://github.com/HackUCF/OnboardLite/commit/1d32081a66f21bcf41df1ecb672490b13f6e429f", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "OnboardLite is a comprehensive membership lifecycle platform built for student organizations at the University of Central Florida. Versions of the software prior to commit 1d32081a66f21bcf41df1ecb672490b13f6e429f have a stored cross-site scripting vulnerability that can be rendered to an admin when they attempt to migrate a user's discord account in the dashboard. Commit 1d32081a66f21bcf41df1ecb672490b13f6e429f patches the issue."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-20", "description": "CWE-20: Improper Input Validation"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-116", "description": "CWE-116: Improper Encoding or Escaping of Output"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-01-19T20:55:28.469Z"}}}, "cveMetadata": {"cveId": "CVE-2026-23880", "state": "PUBLISHED", "dateUpdated": "2026-01-20T15:12:32.529Z", "dateReserved": "2026-01-16T21:02:02.900Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-01-19T20:55:28.469Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "OnboardLite is a comprehensive membership lifecycle platform built for student organizations at the University of Central Florida. Versions of the software prior to commit 1d32081a66f21bcf41df1ecb672490b13f6e429f have a stored cross-site scripting vulnerability that can be rendered to an admin when they attempt to migrate a user's discord account in the dashboard. Commit 1d32081a66f21bcf41df1ecb672490b13f6e429f patches the issue."}, {"lang": "es", "value": "OnboardLite es una plataforma integral para el ciclo de vida de la membres\u00eda construida para organizaciones estudiantiles en la Universidad de Florida Central. Las versiones del software anteriores al commit 1d32081a66f21bcf41df1ecb672490b13f6e429f tienen una vulnerabilidad de cross-site scripting almacenado que puede ser renderizada a un administrador cuando intenta migrar la cuenta de Discord de un usuario en el panel de control. El commit 1d32081a66f21bcf41df1ecb672490b13f6e429f corrige el problema."}], "id": "CVE-2026-23880", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.3, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 2.1, "impactScore": 5.2, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-01-19T21:15:52.357", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/HackUCF/OnboardLite/commit/1d32081a66f21bcf41df1ecb672490b13f6e429f"}, {"source": "security-advisories@github.com", "url": "https://github.com/HackUCF/OnboardLite/security/advisories/GHSA-93w8-83cg-h89g"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-20"}, {"lang": "en", "value": "CWE-79"}, {"lang": "en", "value": "CWE-116"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-18T15:48:27.393024+00:00", "value": {"mitigation_remediation": ["Update to the patched version of OnboardLite by applying commit 1d32081a66f21bcf41df1ecb672490b13f6e429f or a later release that includes the fix.", "If a patch cannot be applied immediately, disable the Discord account migration feature or restrict its use to trusted administrators until the vulnerability is remediated.", "Implement comprehensive input validation and output encoding on all user\u2011supplied data, or deploy a web application firewall to block XSS payloads."], "summary": {"action": "Immediate Patch", "impact": "Stored cross\u2011site scripting that permits administrator account takeover"}, "threat_synthesis": {"affected_systems": "All releases of HackUCF OnboardLite prior to commit 1d32081a66f21bcf41df1ecb672490b13f6e429f are affected. The vulnerability was fixed in that commit, which should be applied to replace any earlier version of the software.", "description_and_impact": "OnboardLite contains a stored cross\u2011site scripting flaw that is triggered when an administrator migrates a student\u2019s Discord account in the dashboard. The attacker can inject malicious JavaScript that is stored and later executed with the full privileges of the administrator, enabling account hijacking, credential theft, or arbitrary code execution within the application context. The weakness stems from a lack of input validation (CWE\u201179), improper handling of user\u2011supplied data (CWE\u201120), and potential data type mismatch (CWE\u2011116).", "risk_and_exploitability": "The CVSS score of 7.3 indicates high severity, but the EPSS score less than 1% and absence from the CISA KEV catalog suggest a low likelihood of widespread exploitation at present. The likely attack vector is via the web interface that allows administrators to migrate Discord accounts; an attacker must be able to supply or modify the migration field with a malicious payload, which persists and executes when the administrator reloads the dashboard. An attacker would need any level of access that permits the execution of the migration action, such as user accounts with compromised credentials or access to an unprotected administrator account."}}}}, "created": "2026-01-20T08:40:17.414154+00:00", "updated": "2026-04-18T16:00:04.278641+00:00", "vendors": ["hackucf", "hackucf$PRODUCT$onboardlite"]}