{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-31952", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-10T15:10:10.657Z", "datePublished": "2026-04-24T00:05:04.782Z", "dateUpdated": "2026-04-24T16:31:37.061Z"}, "containers": {"cna": {"title": "Xibo CMS API has SQL Injection via DataSet Filter Parameter", "problemTypes": [{"descriptions": [{"cweId": "CWE-89", "lang": "en", "description": "CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-184", "lang": "en", "description": "CWE-184: Incomplete List of Disallowed Inputs", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 7.6, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L", "version": "3.1"}}], "references": [{"name": "https://github.com/xibosignage/xibo-cms/security/advisories/GHSA-rq92-f6fv-3629", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/xibosignage/xibo-cms/security/advisories/GHSA-rq92-f6fv-3629"}, {"name": "https://github.com/dasgarner/xibo-cms/commit/b8d25fe6cb0232b645c3850afdc2499b0e46c1e6", "tags": ["x_refsource_MISC"], "url": "https://github.com/dasgarner/xibo-cms/commit/b8d25fe6cb0232b645c3850afdc2499b0e46c1e6"}, {"name": "https://github.com/xibosignage/xibo-cms/commit/87e0a26b0c06e349561a6becdc00f3bb01259736", "tags": ["x_refsource_MISC"], "url": "https://github.com/xibosignage/xibo-cms/commit/87e0a26b0c06e349561a6becdc00f3bb01259736"}, {"name": "https://github.com/xibosignage/xibo-cms/commit/ed213cb4f42d4f50cf8012e01e95bb70127fc6a4", "tags": ["x_refsource_MISC"], "url": "https://github.com/xibosignage/xibo-cms/commit/ed213cb4f42d4f50cf8012e01e95bb70127fc6a4"}, {"name": "https://github.com/xibosignage/xibo-cms/releases/tag/4.4.1", "tags": ["x_refsource_MISC"], "url": "https://github.com/xibosignage/xibo-cms/releases/tag/4.4.1"}], "affected": [{"vendor": "xibosignage", "product": "xibo-cms", "versions": [{"version": ">= 1.7, < 4.4.1", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-24T00:05:04.782Z"}, "descriptions": [{"lang": "en", "value": "Xibo is an open source digital signage platform with a web content management system and Windows display player software. Versions 1.7 through 4.4.0 have an SQL injection vulnerability in the API routes inside the CMS responsible for Filtering DataSets. This allows an authenticated user to to obtain and modify arbitrary data from the Xibo database by injecting specially crafted values in to the API filter parameter. Exploitation of the vulnerability is possible on behalf of an authorized user who has either of the `Access to DataSet Feature` privilege or the `Access to the Layout Feature` privilege. Users should upgrade to version 4.4.1 which fixes this issue. Customers who host their CMS with Xibo Signage have been patched if they are using 4.4, 4.3, 3.3, 2.3 or 1.8. Upgrading to a fixed version is necessary to remediate. Patches are available for earlier versions of Xibo CMS that are out of support, namely 3.3, 2.3, and 1.8."}], "source": {"advisory": "GHSA-rq92-f6fv-3629", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-24T16:31:28.534964Z", "id": "CVE-2026-31952", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-24T16:31:37.061Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-31952", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-24T16:31:28.534964Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-24T16:31:34.002Z"}}], "cna": {"title": "Xibo CMS API has SQL Injection via DataSet Filter Parameter", "source": {"advisory": "GHSA-rq92-f6fv-3629", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.6, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "xibosignage", "product": "xibo-cms", "versions": [{"status": "affected", "version": ">= 1.7, < 4.4.1"}]}], "references": [{"url": "https://github.com/xibosignage/xibo-cms/security/advisories/GHSA-rq92-f6fv-3629", "name": "https://github.com/xibosignage/xibo-cms/security/advisories/GHSA-rq92-f6fv-3629", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/dasgarner/xibo-cms/commit/b8d25fe6cb0232b645c3850afdc2499b0e46c1e6", "name": "https://github.com/dasgarner/xibo-cms/commit/b8d25fe6cb0232b645c3850afdc2499b0e46c1e6", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/xibosignage/xibo-cms/commit/87e0a26b0c06e349561a6becdc00f3bb01259736", "name": "https://github.com/xibosignage/xibo-cms/commit/87e0a26b0c06e349561a6becdc00f3bb01259736", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/xibosignage/xibo-cms/commit/ed213cb4f42d4f50cf8012e01e95bb70127fc6a4", "name": "https://github.com/xibosignage/xibo-cms/commit/ed213cb4f42d4f50cf8012e01e95bb70127fc6a4", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/xibosignage/xibo-cms/releases/tag/4.4.1", "name": "https://github.com/xibosignage/xibo-cms/releases/tag/4.4.1", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Xibo is an open source digital signage platform with a web content management system and Windows display player software. Versions 1.7 through 4.4.0 have an SQL injection vulnerability in the API routes inside the CMS responsible for Filtering DataSets. This allows an authenticated user to to obtain and modify arbitrary data from the Xibo database by injecting specially crafted values in to the API filter parameter. Exploitation of the vulnerability is possible on behalf of an authorized user who has either of the `Access to DataSet Feature` privilege or the `Access to the Layout Feature` privilege. Users should upgrade to version 4.4.1 which fixes this issue. Customers who host their CMS with Xibo Signage have been patched if they are using 4.4, 4.3, 3.3, 2.3 or 1.8. Upgrading to a fixed version is necessary to remediate. Patches are available for earlier versions of Xibo CMS that are out of support, namely 3.3, 2.3, and 1.8."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-89", "description": "CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-184", "description": "CWE-184: Incomplete List of Disallowed Inputs"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-24T00:05:04.782Z"}}}, "cveMetadata": {"cveId": "CVE-2026-31952", "state": "PUBLISHED", "dateUpdated": "2026-04-24T16:31:37.061Z", "dateReserved": "2026-03-10T15:10:10.657Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-04-24T00:05:04.782Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:xibosignage:xibo:*:*:*:*:*:*:*:*", "matchCriteriaId": "24F0D07D-F090-468B-86B2-B702E8CE3AEA", "versionEndExcluding": "4.4.1", "versionStartIncluding": "1.7.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Xibo is an open source digital signage platform with a web content management system and Windows display player software. Versions 1.7 through 4.4.0 have an SQL injection vulnerability in the API routes inside the CMS responsible for Filtering DataSets. This allows an authenticated user to to obtain and modify arbitrary data from the Xibo database by injecting specially crafted values in to the API filter parameter. Exploitation of the vulnerability is possible on behalf of an authorized user who has either of the `Access to DataSet Feature` privilege or the `Access to the Layout Feature` privilege. Users should upgrade to version 4.4.1 which fixes this issue. Customers who host their CMS with Xibo Signage have been patched if they are using 4.4, 4.3, 3.3, 2.3 or 1.8. Upgrading to a fixed version is necessary to remediate. Patches are available for earlier versions of Xibo CMS that are out of support, namely 3.3, 2.3, and 1.8."}], "id": "CVE-2026-31952", "lastModified": "2026-04-27T14:33:15.200", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 7.6, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 4.7, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.2, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-04-24T00:16:27.780", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/dasgarner/xibo-cms/commit/b8d25fe6cb0232b645c3850afdc2499b0e46c1e6"}, {"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/xibosignage/xibo-cms/commit/87e0a26b0c06e349561a6becdc00f3bb01259736"}, {"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/xibosignage/xibo-cms/commit/ed213cb4f42d4f50cf8012e01e95bb70127fc6a4"}, {"source": "security-advisories@github.com", "tags": ["Release Notes"], "url": "https://github.com/xibosignage/xibo-cms/releases/tag/4.4.1"}, {"source": "security-advisories@github.com", "tags": ["Patch", "Vendor Advisory"], "url": "https://github.com/xibosignage/xibo-cms/security/advisories/GHSA-rq92-f6fv-3629"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-89"}, {"lang": "en", "value": "CWE-184"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[1.7,4.4.1)"}}], "enrichment": {"confidence": 89.0, "confidence_source": "matching", "scores": [{"score": 89.0, "source": "matching"}]}, "original": {"product": "xibo-cms", "source": "cna", "vendor": "xibosignage"}, "product": "xibo", "vendor": "xibosignage"}], "analysis": {"en": {"generated_at": "2026-04-28T14:30:07.881267+00:00", "value": {"mitigation_remediation": ["Upgrade Xibo CMS to version 4.4.1 or later to eliminate the flaw.", "Apply the available patch releases for earlier versions (3.3, 2.3, 1.8) if you are running an unsupported release.", "Restrict the Access to DataSet and Access to Layout privileges to only trusted administrators."], "summary": {"action": "Apply patch", "impact": "Database compromise via SQL injection"}, "threat_synthesis": {"affected_systems": "The vulnerability exists in the Xibo CMS product from the vendor Xibosignage. Versions 1.7 through 4.4.0 are affected. The issue is fixed in release 4.4.1; earlier unsupported releases such as 3.3, 2.3 and 1.8 have patch releases available.", "description_and_impact": "The flaw is an SQL injection in the API route that processes dataset filters (CWE\u201189) and involves arbitrary string manipulation (CWE\u2011184). An authenticated user who holds either the Access to DataSet Feature or the Access to the Layout Feature privilege can supply a crafted filter value that allows the attacker to read or modify arbitrary records in the Xibo database. This capability can be used to exfiltrate sensitive information or tamper with content displayed by the system.", "risk_and_exploitability": "The CVSS score of 7.6 indicates a severe impact, while the EPSS score of less than 1% suggests that exploit attempts are unlikely to occur at present. The vulnerability is not listed in the CISA KEV catalog. An attacker must be authenticated and possess the appropriate privileges to target the system, typically through the web API filtering endpoint. If such access is present, the exploit can be carried out without additional privileges or external exposure."}}}}, "created": "2026-04-28T08:45:26.976478+00:00", "updated": "2026-04-28T14:30:33.774227+00:00", "vendors": ["xibosignage", "xibosignage$PRODUCT$xibo"]}