{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-3327", "assignerOrgId": "3ba556a3-57d7-4c5d-b460-9d6daa180ee1", "state": "PUBLISHED", "assignerShortName": "Intigriti", "dateReserved": "2026-02-27T14:08:55.710Z", "datePublished": "2026-02-27T14:09:38.150Z", "dateUpdated": "2026-02-27T18:44:26.847Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "Web Previews", "vendor": "DatoCMS", "versions": [{"status": "affected", "version": "< 1.0.31"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Ayoub Benlamchich (INTIGRITI)"}], "datePublic": "2026-02-25T09:00:00.000Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Authenticated Iframe Injection in Dato CMS Web Previews plugin. This vulnerability permits a malicious authenticated user to circumvent the restriction enforced on the configured frontend URL, enabling the loading of arbitrary external resources or origins. This issue affects Web Previews &lt; v1.0.31.<p></p>"}], "value": "Authenticated Iframe Injection in Dato CMS Web Previews plugin. This vulnerability permits a malicious authenticated user to circumvent the restriction enforced on the configured frontend URL, enabling the loading of arbitrary external resources or origins. This issue affects Web Previews < v1.0.31."}], "metrics": [{"cvssV4_0": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "baseScore": 4.8, "baseSeverity": "MEDIUM", "exploitMaturity": "NOT_DEFINED", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "ACTIVE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "LOW", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "3ba556a3-57d7-4c5d-b460-9d6daa180ee1", "shortName": "Intigriti", "dateUpdated": "2026-02-27T14:09:38.150Z"}, "references": [{"url": "https://github.com/datocms/plugins/commit/7965eebf0973cc5ebb18bc5ff9ce7ff19e89bb2e"}], "source": {"discovery": "UNKNOWN"}, "title": "Authenticated DatoCMS Web Previews Plugin Iframe Injection", "x_generator": {"engine": "Vulnogram 0.5.0"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-27T18:44:18.238930Z", "id": "CVE-2026-3327", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-27T18:44:26.847Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-3327", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-02-27T18:44:18.238930Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-27T18:44:23.512Z"}}], "cna": {"title": "Authenticated DatoCMS Web Previews Plugin Iframe Injection", "source": {"discovery": "UNKNOWN"}, "credits": [{"lang": "en", "type": "finder", "value": "Ayoub Benlamchich (INTIGRITI)"}], "metrics": [{"format": "CVSS", "cvssV4_0": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 4.8, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "ACTIVE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "LOW", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "LOW", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "DatoCMS", "product": "Web Previews", "versions": [{"status": "affected", "version": "< 1.0.31"}], "defaultStatus": "unaffected"}], "datePublic": "2026-02-25T09:00:00.000Z", "references": [{"url": "https://github.com/datocms/plugins/commit/7965eebf0973cc5ebb18bc5ff9ce7ff19e89bb2e"}], "x_generator": {"engine": "Vulnogram 0.5.0"}, "descriptions": [{"lang": "en", "value": "Authenticated Iframe Injection in Dato CMS Web Previews plugin. This vulnerability permits a malicious authenticated user to circumvent the restriction enforced on the configured frontend URL, enabling the loading of arbitrary external resources or origins. This issue affects Web Previews < v1.0.31.", "supportingMedia": [{"type": "text/html", "value": "Authenticated Iframe Injection in Dato CMS Web Previews plugin. This vulnerability permits a malicious authenticated user to circumvent the restriction enforced on the configured frontend URL, enabling the loading of arbitrary external resources or origins. This issue affects Web Previews &lt; v1.0.31.<p></p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "3ba556a3-57d7-4c5d-b460-9d6daa180ee1", "shortName": "Intigriti", "dateUpdated": "2026-02-27T14:09:38.150Z"}}}, "cveMetadata": {"cveId": "CVE-2026-3327", "state": "PUBLISHED", "dateUpdated": "2026-02-27T18:44:26.847Z", "dateReserved": "2026-02-27T14:08:55.710Z", "assignerOrgId": "3ba556a3-57d7-4c5d-b460-9d6daa180ee1", "datePublished": "2026-02-27T14:09:38.150Z", "assignerShortName": "Intigriti"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Authenticated Iframe Injection in Dato CMS Web Previews plugin. This vulnerability permits a malicious authenticated user to circumvent the restriction enforced on the configured frontend URL, enabling the loading of arbitrary external resources or origins. This issue affects Web Previews < v1.0.31."}, {"lang": "es", "value": "Inyecci\u00f3n de Iframe Autenticada en el plugin Web Previews de Dato CMS. Esta vulnerabilidad permite a un usuario autenticado malicioso evitar la restricci\u00f3n impuesta en la URL de frontend, permitiendo la carga de recursos externos u or\u00edgenes arbitrarios. Este problema afecta a Web Previews &lt; v1.0.31."}], "id": "CVE-2026-3327", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 4.8, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "ACTIVE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "LOW", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "3ba556a3-57d7-4c5d-b460-9d6daa180ee1", "type": "Secondary"}]}, "published": "2026-02-27T15:16:30.950", "references": [{"source": "3ba556a3-57d7-4c5d-b460-9d6daa180ee1", "url": "https://github.com/datocms/plugins/commit/7965eebf0973cc5ebb18bc5ff9ce7ff19e89bb2e"}], "sourceIdentifier": "3ba556a3-57d7-4c5d-b460-9d6daa180ee1", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "3ba556a3-57d7-4c5d-b460-9d6daa180ee1", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,1.0.31)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "Web Previews", "source": "cna", "vendor": "DatoCMS"}, "product": "web_previews", "vendor": "datocms"}], "analysis": {"en": {"generated_at": "2026-04-18T10:15:22.239615+00:00", "value": {"mitigation_remediation": ["Upgrade the DatoCMS Web Previews plugin to version 1.0.31 or later.", "Implement a content\u2011security\u2011policy that restricts iframe sources to trusted origins.", "Disable or restrict the Web Previews feature for users who do not require it."], "summary": {"action": "Apply Update", "impact": "Authenticated Iframe Injection"}, "threat_synthesis": {"affected_systems": "The affected product is the DatoCMS Web Previews plugin, any version preceding the 1.0.31 release. Users who have configured the plugin with a frontend URL are susceptible, and the vulnerability is specific to the DatoCMS environment.", "description_and_impact": "An authenticated user can bypass the restriction on the configured frontend URL in the DatoCMS Web Previews plugin, allowing the loading of arbitrary external resources or origins within iframes. This capability enables the presentation of content that may appear to originate from the trusted site. Based on the vulnerability\u2019s functionality, it is inferred that an attacker could host malicious content that appears to come from the original site.", "risk_and_exploitability": "The CVSS score is 4.8, and the EPSS score is less than 1\u202f%. The vulnerability is not listed in the CISA KEV catalog. Exploitation requires valid credentials; therefore the attack surface is limited to authenticated staff or contributors. While the probability of exploitation is low, once authenticated, an attacker can insert arbitrary iframe content that may undermine user trust."}}}}, "created": "2026-03-02T12:07:12.771701+00:00", "updated": "2026-04-18T10:15:25.884648+00:00", "vendors": ["datocms", "datocms$PRODUCT$web_previews"]}