{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-3106", "assignerOrgId": "0cbda920-cd7f-484a-8e76-bf7f4b7f4516", "state": "PUBLISHED", "assignerShortName": "INCIBE", "dateReserved": "2026-02-24T10:44:55.903Z", "datePublished": "2026-03-31T08:51:35.333Z", "dateUpdated": "2026-03-31T18:04:26.550Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "0cbda920-cd7f-484a-8e76-bf7f4b7f4516", "shortName": "INCIBE", "dateUpdated": "2026-03-31T08:51:35.333Z"}, "title": "Multiple vulnerabilities in Teampass", "datePublic": "2026-03-31T08:42:00.000Z", "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-79", "description": "CWE-79 Improper neutralization of input during web page generation ('cross-site scripting')", "type": "CWE"}]}], "impacts": [{"capecId": "CAPEC-63", "descriptions": [{"lang": "en", "value": "CAPEC-63 Cross-Site Scripting (XSS)"}]}], "affected": [{"vendor": "Teampass", "product": "Teampass", "versions": [{"status": "affected", "version": "0", "lessThanOrEqual": "3.1.5.16", "versionType": "custom"}], "defaultStatus": "unaffected"}], "cpeApplicability": [{"operator": "OR", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:teampass:teampass:*:*:*:*:*:*:*:*", "versionStartIncluding": "0", "versionEndIncluding": "3.1.5.16"}]}]}], "descriptions": [{"lang": "en", "value": "Blind Cross-Site Scripting (XSS) in Teampass, versions prior to 3.1.5.16, within the password manager login functionality in the 'contrase\u00f1a' parameter of the login form 'redacted/index.php'. During failed authentication attempts, the application does not properly clean or encode the information entered by the user in the username field. As a result, arbitrary JavaScript code is automatically executed in the administrator's browser when viewing failed login entries, resulting in a blind XSS condition.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "<p>Blind Cross-Site Scripting (XSS) in Teampass, versions prior to 3.1.5.16, within the password manager login functionality in the 'contrase\u00f1a' parameter of the login form 'redacted/index.php'. During failed authentication attempts, the application does not properly clean or encode the information entered by the user in the username field. As a result, arbitrary JavaScript code is automatically executed in the administrator's browser when viewing failed login entries, resulting in a blind XSS condition.</p>"}]}], "references": [{"url": "https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-teampass", "tags": ["patch"]}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "subConfidentialityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "subIntegrityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "version": "4.0", "baseSeverity": "CRITICAL", "baseScore": 9.3, "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N"}}], "solutions": [{"lang": "en", "value": "The issue has been fixed in version 3.1.5.24.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "The issue has been fixed in version 3.1.5.24."}]}], "credits": [{"lang": "en", "value": "Julen Garrido Est\u00e9vez (B3xal)", "type": "finder"}], "source": {"discovery": "UNKNOWN"}, "x_generator": {"engine": "Vulnogram 1.0.1"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-31T15:02:20.289099Z", "id": "CVE-2026-3106", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-31T18:04:26.550Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-3106", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-03-31T15:02:20.289099Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-31T15:02:25.268Z"}}], "cna": {"title": "Multiple vulnerabilities in Teampass", "source": {"discovery": "UNKNOWN"}, "credits": [{"lang": "en", "type": "finder", "value": "Julen Garrido Est\u00e9vez (B3xal)"}], "impacts": [{"capecId": "CAPEC-63", "descriptions": [{"lang": "en", "value": "CAPEC-63 Cross-Site Scripting (XSS)"}]}], "metrics": [{"format": "CVSS", "cvssV4_0": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 9.3, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Teampass", "product": "Teampass", "versions": [{"status": "affected", "version": "0", "versionType": "custom", "lessThanOrEqual": "3.1.5.16"}], "defaultStatus": "unaffected"}], "solutions": [{"lang": "en", "value": "The issue has been fixed in version 3.1.5.24.", "supportingMedia": [{"type": "text/html", "value": "The issue has been fixed in version 3.1.5.24.", "base64": false}]}], "datePublic": "2026-03-31T08:42:00.000Z", "references": [{"url": "https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-teampass", "tags": ["patch"]}], "x_generator": {"engine": "Vulnogram 1.0.1"}, "descriptions": [{"lang": "en", "value": "Blind Cross-Site Scripting (XSS) in Teampass, versions prior to 3.1.5.16, within the password manager login functionality in the 'contrase\u00f1a' parameter of the login form 'redacted/index.php'. During failed authentication attempts, the application does not properly clean or encode the information entered by the user in the username field. As a result, arbitrary JavaScript code is automatically executed in the administrator's browser when viewing failed login entries, resulting in a blind XSS condition.", "supportingMedia": [{"type": "text/html", "value": "<p>Blind Cross-Site Scripting (XSS) in Teampass, versions prior to 3.1.5.16, within the password manager login functionality in the 'contrase\u00f1a' parameter of the login form 'redacted/index.php'. During failed authentication attempts, the application does not properly clean or encode the information entered by the user in the username field. As a result, arbitrary JavaScript code is automatically executed in the administrator's browser when viewing failed login entries, resulting in a blind XSS condition.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79 Improper neutralization of input during web page generation ('cross-site scripting')"}]}], "cpeApplicability": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:teampass:teampass:*:*:*:*:*:*:*:*", "vulnerable": true, "versionEndIncluding": "3.1.5.16", "versionStartIncluding": "0"}], "operator": "OR"}], "operator": "OR"}], "providerMetadata": {"orgId": "0cbda920-cd7f-484a-8e76-bf7f4b7f4516", "shortName": "INCIBE", "dateUpdated": "2026-03-31T08:51:35.333Z"}}}, "cveMetadata": {"cveId": "CVE-2026-3106", "state": "PUBLISHED", "dateUpdated": "2026-03-31T18:04:26.550Z", "dateReserved": "2026-02-24T10:44:55.903Z", "assignerOrgId": "0cbda920-cd7f-484a-8e76-bf7f4b7f4516", "datePublished": "2026-03-31T08:51:35.333Z", "assignerShortName": "INCIBE"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:teampass:teampass:*:*:*:*:*:*:*:*", "matchCriteriaId": "6A32E3AF-53D9-4522-8681-9E95819801F1", "versionEndExcluding": "3.1.5.24", "versionStartIncluding": "3.1.5.16", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Blind Cross-Site Scripting (XSS) in Teampass, versions prior to 3.1.5.16, within the password manager login functionality in the 'contrase\u00f1a' parameter of the login form 'redacted/index.php'. During failed authentication attempts, the application does not properly clean or encode the information entered by the user in the username field. As a result, arbitrary JavaScript code is automatically executed in the administrator's browser when viewing failed login entries, resulting in a blind XSS condition."}, {"lang": "es", "value": "Blind cross-site scripting (XSS) en Teampass, versiones anteriores a la 3.1.5.16, dentro de la funcionalidad de inicio de sesi\u00f3n del gestor de contrase\u00f1as en el par\u00e1metro 'contrase\u00f1a' del formulario de inicio de sesi\u00f3n 'redacted/index.php'. Durante los intentos de autenticaci\u00f3n fallidos, la aplicaci\u00f3n no limpia ni codifica correctamente la informaci\u00f3n introducida por el usuario en el campo de nombre de usuario. Como resultado, c\u00f3digo JavaScript arbitrario se ejecuta autom\u00e1ticamente en el navegador del administrador al ver las entradas de inicio de sesi\u00f3n fallidas, lo que resulta en una condici\u00f3n de XSS ciego."}], "id": "CVE-2026-3106", "lastModified": "2026-04-07T15:36:09.380", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.3, "impactScore": 2.7, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 9.3, "baseSeverity": "CRITICAL", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "cve-coordination@incibe.es", "type": "Secondary"}]}, "published": "2026-03-31T09:16:22.700", "references": [{"source": "cve-coordination@incibe.es", "tags": ["Third Party Advisory"], "url": "https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-teampass"}], "sourceIdentifier": "cve-coordination@incibe.es", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "cve-coordination@incibe.es", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,3.1.5.16]"}}], "enrichment": {"confidence": 95.0, "confidence_source": "inferred", "scores": [{"score": 95.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "Teampass", "source": "cna", "vendor": "Teampass"}, "product": "teampass", "vendor": "teampass"}], "analysis": {"en": {"generated_at": "2026-03-31T10:50:53.580203+00:00", "value": {"mitigation_remediation": ["Apply the official Teampass patch, upgrading to version 3.1.5.24 or later.", "If a patch cannot be applied immediately, restrict administrative access to the login and log\u2011review pages and advise users to avoid clicking any suspicious links in the failed\u2011login logs.", "Consider deploying a web application firewall or adding input validation to strip scripts from the \"contrase\u00f1a\" parameter as a temporary safeguard."], "summary": {"action": "Immediate Patch", "impact": "Cross\u2011Site Scripting in Administrative Interface"}, "threat_synthesis": {"affected_systems": "The vulnerability affects all Teampass deployments running any version prior to 3.1.5.16. The fix is included in version 3.1.5.24, which supersedes all vulnerable releases.", "description_and_impact": "Teampass versions older than 3.1.5.16 allow a blind Cross\u2011Site Scripting flaw in the login form\u2019s \"contrase\u00f1a\" parameter. When an authentication attempt fails, the entered username is displayed in the list of failed logins without proper encoding, causing arbitrary JavaScript to execute in the browser of an administrator who views that log. The flaw enables an attacker to run malicious code in the context of the admin session, potentially stealing session tokens, modifying data, or defacing the interface.", "risk_and_exploitability": "The flaw carries a high CVSS score of 9.3. No EPSS score is available, and the vulnerability is not listed in the KEV catalog. A remote attacker can submit a crafted request to the login endpoint without prior authentication and trigger the XSS when an administrator later opens the failed\u2011login log. Because the exploit requires only that the administrator view the log, the attack is relatively easy to perform on exposed administrative interfaces, making the risk significant."}}}}, "created": "2026-03-31T19:55:59.431952+00:00", "updated": "2026-03-31T20:39:20.333844+00:00", "vendors": ["teampass", "teampass$PRODUCT$teampass"]}