{"dataType": "CVE_RECORD", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2026-31050", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "dateUpdated": "2026-04-24T15:22:54.550Z", "dateReserved": "2026-03-09T00:00:00.000Z", "datePublished": "2026-04-24T00:00:00.000Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2026-04-24T14:48:04.770Z"}, "descriptions": [{"lang": "en", "value": "Cross Site Scripting vulnerability in Hostbill v.2025-11-24 and 2025-12-01 allows a remote attacker to execute arbitrary code"}], "affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"version": "n/a", "status": "affected"}]}], "references": [{"url": "https://hostbillapp.com/changelog"}, {"url": "https://hostbillapp.com/release-notes/11-27-2025.html"}, {"url": "https://blog.hostbillapp.com/2025/12/03/hostbill-security-advisory/"}, {"url": "https://hostbillapp.com/responsible-disclosure"}, {"url": "https://hostbillapp.com/release-notes/12-01-2025.html"}, {"url": "https://github.com/Muhammad5235/HostBill-CVEs-2025/blob/main/Stored%20Cross-Site%20Scripting%20%28XSS%29%20Vulnerability/admin%20and%20client%20interfaces"}], "problemTypes": [{"descriptions": [{"type": "text", "lang": "en", "description": "n/a"}]}]}, "adp": [{"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-79", "lang": "en", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "references": [{"url": "https://github.com/Muhammad5235/HostBill-CVEs-2025/blob/main/Stored%20Cross-Site%20Scripting%20%28XSS%29%20Vulnerability/admin%20and%20client%20interfaces", "tags": ["exploit"]}], "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.9, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "HIGH", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-04-24T15:12:09.829282Z", "id": "CVE-2026-31050", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-24T15:22:54.550Z"}}]}, "dataVersion": "5.2"}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.9, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "HIGH", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-31050", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-24T15:12:09.829282Z"}}}], "references": [{"url": "https://github.com/Muhammad5235/HostBill-CVEs-2025/blob/main/Stored%20Cross-Site%20Scripting%20%28XSS%29%20Vulnerability/admin%20and%20client%20interfaces", "tags": ["exploit"]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-24T15:10:13.756Z"}}], "cna": {"affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "references": [{"url": "https://hostbillapp.com/changelog"}, {"url": "https://hostbillapp.com/release-notes/11-27-2025.html"}, {"url": "https://blog.hostbillapp.com/2025/12/03/hostbill-security-advisory/"}, {"url": "https://hostbillapp.com/responsible-disclosure"}, {"url": "https://hostbillapp.com/release-notes/12-01-2025.html"}, {"url": "https://github.com/Muhammad5235/HostBill-CVEs-2025/blob/main/Stored%20Cross-Site%20Scripting%20%28XSS%29%20Vulnerability/admin%20and%20client%20interfaces"}], "descriptions": [{"lang": "en", "value": "Cross Site Scripting vulnerability in Hostbill v.2025-11-24 and 2025-12-01 allows a remote attacker to execute arbitrary code"}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "text", "description": "n/a"}]}], "providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2026-04-24T14:48:04.770Z"}}}, "cveMetadata": {"cveId": "CVE-2026-31050", "state": "PUBLISHED", "dateUpdated": "2026-04-24T15:22:54.550Z", "dateReserved": "2026-03-09T00:00:00.000Z", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "datePublished": "2026-04-24T00:00:00.000Z", "assignerShortName": "mitre"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Cross Site Scripting vulnerability in Hostbill v.2025-11-24 and 2025-12-01 allows a remote attacker to execute arbitrary code"}], "id": "CVE-2026-31050", "lastModified": "2026-04-24T17:55:55.317", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.9, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 1.2, "impactScore": 3.6, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-04-24T15:16:26.980", "references": [{"source": "cve@mitre.org", "url": "https://blog.hostbillapp.com/2025/12/03/hostbill-security-advisory/"}, {"source": "cve@mitre.org", "url": "https://github.com/Muhammad5235/HostBill-CVEs-2025/blob/main/Stored%20Cross-Site%20Scripting%20%28XSS%29%20Vulnerability/admin%20and%20client%20interfaces"}, {"source": "cve@mitre.org", "url": "https://hostbillapp.com/changelog"}, {"source": "cve@mitre.org", "url": "https://hostbillapp.com/release-notes/11-27-2025.html"}, {"source": "cve@mitre.org", "url": "https://hostbillapp.com/release-notes/12-01-2025.html"}, {"source": "cve@mitre.org", "url": "https://hostbillapp.com/responsible-disclosure"}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "url": "https://github.com/Muhammad5235/HostBill-CVEs-2025/blob/main/Stored%20Cross-Site%20Scripting%20%28XSS%29%20Vulnerability/admin%20and%20client%20interfaces"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "2025-11-24"}}, {"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "2025-12-01"}}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "n/a", "source": "cna", "vendor": "n/a"}, "product": "hostbill", "vendor": "hostbillapp"}], "analysis": {"en": {"generated_at": "2026-04-28T07:10:10.249154+00:00", "value": {"mitigation_remediation": ["Apply the latest HostBill release (e.g., 2025\u201112\u201101 or newer) that eliminates the XSS flaw. ", "Ensure that any legacy or custom modules no longer rely on the affected interfaces and remove or sandbox them. ", "Restrict execution of user\u2011provided code by configuring proper Content Security Policy (CSP) headers and enabling output encoding throughout the application."], "summary": {"action": "Immediate Patch", "impact": "Remote Code Execution"}, "threat_synthesis": {"affected_systems": "The affected systems are HostBill web applications deployed with the 2025\u201111\u201124 or 2025\u201112\u201101 releases. Admin or client users who view pages that incorporate legacy or unsanitized input may be able to trigger the XSS vector.", "description_and_impact": "HostBill v.2025-11-24 and 2025-12-01 contain a cross\u2011site scripting (XSS) flaw that permits a remote attacker to run arbitrary code. The vulnerability arises when untrusted input is reflected or stored in the application\u2019s admin and client interfaces without proper sanitization, allowing a malicious payload to be delivered to an affected user. Executing such payloads can grant the attacker unauthorized control over the victim\u2019s browser session and potentially the underlying system if the code runs with higher privileges.", "risk_and_exploitability": "The CVSS score of 4.9 indicates moderate overall risk, while the EPSS score of less than 1% suggests a low likelihood of active exploitation at present. The vulnerability is not listed in the CISA KEV catalog. Based on the description, the likely attack vector is a web\u2011based exploitation where an attacker crafts a malicious script and induces vulnerable users to view a page that contains the payload. Because the flaw can lead to arbitrary code execution, the potential impact on confidentiality, integrity, and availability is significant for any compromised user session."}}}}, "created": "2026-04-27T19:15:11.633254+00:00", "title": "Cross\u2011Site Scripting in HostBill Enables Remote Code Execution", "updated": "2026-04-28T07:15:19.375658+00:00", "vendors": ["hostbillapp", "hostbillapp$PRODUCT$hostbill"]}