{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-31956", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-10T15:40:10.479Z", "datePublished": "2026-04-24T00:16:03.413Z", "dateUpdated": "2026-04-24T13:08:17.026Z"}, "containers": {"cna": {"title": "Xibo CMS has Preview and SavedReport IDOR via disableUserCheck without controller-level authorization", "problemTypes": [{"descriptions": [{"cweId": "CWE-639", "lang": "en", "description": "CWE-639: Authorization Bypass Through User-Controlled Key", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/xibosignage/xibo-cms/security/advisories/GHSA-q6rv-8hhj-3fr8", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/xibosignage/xibo-cms/security/advisories/GHSA-q6rv-8hhj-3fr8"}, {"name": "https://github.com/xibosignage/xibo-cms/releases/tag/4.4.1", "tags": ["x_refsource_MISC"], "url": "https://github.com/xibosignage/xibo-cms/releases/tag/4.4.1"}], "affected": [{"vendor": "xibosignage", "product": "xibo-cms", "versions": [{"version": "< 4.4.1", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-24T00:16:03.413Z"}, "descriptions": [{"lang": "en", "value": "Xibo is an open source digital signage platform with a web content management system and Windows display player software. Prior to version 4.4.1, any authenticated user can manually construct a URL to preview campaigns/regions, and export saved reports belonging to other users. Exploitation of the vulnerability is possible on behalf of an authorized user who has any of the following privileges: Page which shows all Layouts that have been created for the purposes of Layout Management; page which shows all Campaigns that have been created for the purposes of Campaign Management; and page which shows all Reports that have been Saved. Users should upgrade to version 4.4.1 which fixes this issue. Upgrading to a fixed version is necessary to remediate."}], "source": {"advisory": "GHSA-q6rv-8hhj-3fr8", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-24T13:08:09.832329Z", "id": "CVE-2026-31956", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-24T13:08:17.026Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-31956", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-24T13:08:09.832329Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-24T13:08:13.308Z"}}], "cna": {"title": "Xibo CMS has Preview and SavedReport IDOR via disableUserCheck without controller-level authorization", "source": {"advisory": "GHSA-q6rv-8hhj-3fr8", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}}], "affected": [{"vendor": "xibosignage", "product": "xibo-cms", "versions": [{"status": "affected", "version": "< 4.4.1"}]}], "references": [{"url": "https://github.com/xibosignage/xibo-cms/security/advisories/GHSA-q6rv-8hhj-3fr8", "name": "https://github.com/xibosignage/xibo-cms/security/advisories/GHSA-q6rv-8hhj-3fr8", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/xibosignage/xibo-cms/releases/tag/4.4.1", "name": "https://github.com/xibosignage/xibo-cms/releases/tag/4.4.1", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Xibo is an open source digital signage platform with a web content management system and Windows display player software. Prior to version 4.4.1, any authenticated user can manually construct a URL to preview campaigns/regions, and export saved reports belonging to other users. Exploitation of the vulnerability is possible on behalf of an authorized user who has any of the following privileges: Page which shows all Layouts that have been created for the purposes of Layout Management; page which shows all Campaigns that have been created for the purposes of Campaign Management; and page which shows all Reports that have been Saved. Users should upgrade to version 4.4.1 which fixes this issue. Upgrading to a fixed version is necessary to remediate."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-639", "description": "CWE-639: Authorization Bypass Through User-Controlled Key"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-24T00:16:03.413Z"}}}, "cveMetadata": {"cveId": "CVE-2026-31956", "state": "PUBLISHED", "dateUpdated": "2026-04-24T13:08:17.026Z", "dateReserved": "2026-03-10T15:40:10.479Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-04-24T00:16:03.413Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:xibosignage:xibo:*:*:*:*:*:*:*:*", "matchCriteriaId": "57F53EFF-4DF3-46B8-B538-D4D852953280", "versionEndExcluding": "4.4.1", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Xibo is an open source digital signage platform with a web content management system and Windows display player software. Prior to version 4.4.1, any authenticated user can manually construct a URL to preview campaigns/regions, and export saved reports belonging to other users. Exploitation of the vulnerability is possible on behalf of an authorized user who has any of the following privileges: Page which shows all Layouts that have been created for the purposes of Layout Management; page which shows all Campaigns that have been created for the purposes of Campaign Management; and page which shows all Reports that have been Saved. Users should upgrade to version 4.4.1 which fixes this issue. Upgrading to a fixed version is necessary to remediate."}], "id": "CVE-2026-31956", "lastModified": "2026-04-27T14:44:42.927", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-04-24T01:16:11.773", "references": [{"source": "security-advisories@github.com", "tags": ["Release Notes"], "url": "https://github.com/xibosignage/xibo-cms/releases/tag/4.4.1"}, {"source": "security-advisories@github.com", "tags": ["Vendor Advisory"], "url": "https://github.com/xibosignage/xibo-cms/security/advisories/GHSA-q6rv-8hhj-3fr8"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-639"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,4.4.1)"}}], "enrichment": {"confidence": 89.0, "confidence_source": "matching", "scores": [{"score": 89.0, "source": "matching"}]}, "original": {"product": "xibo-cms", "source": "cna", "vendor": "xibosignage"}, "product": "xibo", "vendor": "xibosignage"}], "analysis": {"en": {"generated_at": "2026-04-28T07:05:49.576266+00:00", "value": {"mitigation_remediation": ["Upgrade Xibo CMS to version 4.4.1 or later to apply the vendor-provided fix.", "Restrict layout, campaign, and report management permissions to trusted roles only, ensuring no user possesses the ability to preview or export others' content.", "Disable or remove any preview and export endpoints for users lacking the necessary authorization if an upgrade is not yet possible."], "summary": {"action": "Apply Patch", "impact": "Untrusted IDOR granting access to preview content and exported reports"}, "threat_synthesis": {"affected_systems": "The affected product is Xibo CMS by XiboSignage, specifically versions prior to 4.4.1. Users relying on earlier releases are vulnerable until they apply the updated version.", "description_and_impact": "Xibo CMS suffers from an insecure direct object reference (IDOR) due to a missing controller-level authorization check. Any authenticated user can craft URLs to preview campaigns or regions and to export saved reports that belong to other users. The exposure is a result of the disableUserCheck bypass and falls under CWE-639, allowing unintended information disclosure.", "risk_and_exploitability": "Based on the CVSS score of 4.3, the vulnerability is classified as moderate severity. The EPSS score of < 1% indicates a low probability of exploitation in the wild, and the issue is not listed in CISA's KEV catalog. Exploitation requires a legitimate user with layout, campaign, or report management permissions; by manually constructing a request URL, the attacker can retrieve content from other users, enabling unauthorized data disclosure. The attack vector is web-based, relying on authenticated HTTP requests."}}}}, "created": "2026-04-28T07:15:19.373542+00:00", "updated": "2026-04-28T08:45:26.975781+00:00", "vendors": ["xibosignage", "xibosignage$PRODUCT$xibo"]}