{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-4165", "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "state": "PUBLISHED", "assignerShortName": "VulDB", "dateReserved": "2026-03-14T12:27:21.982Z", "datePublished": "2026-03-15T05:02:07.832Z", "dateUpdated": "2026-03-17T13:45:03.502Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "shortName": "VulDB", "dateUpdated": "2026-03-15T05:02:07.832Z"}, "title": "Worksuite HR, CRM and Project Management create cross site scripting", "problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-79", "lang": "en", "description": "Cross Site Scripting"}]}, {"descriptions": [{"type": "CWE", "cweId": "CWE-94", "lang": "en", "description": "Code Injection"}]}], "affected": [{"vendor": "Worksuite", "product": "HR, CRM and Project Management", "versions": [{"version": "5.5.0", "status": "affected"}, {"version": "5.5.1", "status": "affected"}, {"version": "5.5.2", "status": "affected"}, {"version": "5.5.3", "status": "affected"}, {"version": "5.5.4", "status": "affected"}, {"version": "5.5.5", "status": "affected"}, {"version": "5.5.6", "status": "affected"}, {"version": "5.5.7", "status": "affected"}, {"version": "5.5.8", "status": "affected"}, {"version": "5.5.9", "status": "affected"}, {"version": "5.5.10", "status": "affected"}, {"version": "5.5.11", "status": "affected"}, {"version": "5.5.12", "status": "affected"}, {"version": "5.5.13", "status": "affected"}, {"version": "5.5.14", "status": "affected"}, {"version": "5.5.15", "status": "affected"}, {"version": "5.5.16", "status": "affected"}, {"version": "5.5.17", "status": "affected"}, {"version": "5.5.18", "status": "affected"}, {"version": "5.5.19", "status": "affected"}, {"version": "5.5.20", "status": "affected"}, {"version": "5.5.21", "status": "affected"}, {"version": "5.5.22", "status": "affected"}, {"version": "5.5.23", "status": "affected"}, {"version": "5.5.24", "status": "affected"}, {"version": "5.5.25", "status": "affected"}]}], "descriptions": [{"lang": "en", "value": "A vulnerability has been found in Worksuite HR, CRM and Project Management up to 5.5.25. The affected element is an unknown function of the file /account/orders/create. The manipulation of the argument Client Note leads to cross site scripting. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used."}], "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 4.8, "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P", "baseSeverity": "MEDIUM"}}, {"cvssV3_1": {"version": "3.1", "baseScore": 2.4, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R", "baseSeverity": "LOW"}}, {"cvssV3_0": {"version": "3.0", "baseScore": 2.4, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R", "baseSeverity": "LOW"}}, {"cvssV2_0": {"version": "2.0", "baseScore": 3.3, "vectorString": "AV:N/AC:L/Au:M/C:N/I:P/A:N/E:POC/RL:ND/RC:UR"}}], "timeline": [{"time": "2026-03-14T00:00:00.000Z", "lang": "en", "value": "Advisory disclosed"}, {"time": "2026-03-14T01:00:00.000Z", "lang": "en", "value": "VulDB entry created"}, {"time": "2026-03-14T13:32:34.000Z", "lang": "en", "value": "VulDB entry last update"}], "credits": [{"lang": "en", "value": "AhmadMarzouk (VulDB User)", "type": "reporter"}, {"lang": "en", "value": "VulDB", "type": "coordinator"}], "references": [{"url": "https://vuldb.com/?id.351072", "name": "VDB-351072 | Worksuite HR, CRM and Project Management create cross site scripting", "tags": ["vdb-entry", "technical-description"]}, {"url": "https://vuldb.com/?ctiid.351072", "name": "VDB-351072 | CTI Indicators (IOB, IOC, TTP, IOA)", "tags": ["signature", "permissions-required"]}, {"url": "https://vuldb.com/?submit.769430", "name": "Submit #769430 | WORKSUITE WORKSUITE - HR, CRM and Project Management v5.5.25 Cross Site Scripting", "tags": ["third-party-advisory"]}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-17T13:44:43.088799Z", "id": "CVE-2026-4165", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-17T13:45:03.502Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-4165", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-17T13:44:43.088799Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-17T13:44:58.137Z"}}], "cna": {"title": "Worksuite HR, CRM and Project Management create cross site scripting", "credits": [{"lang": "en", "type": "reporter", "value": "AhmadMarzouk (VulDB User)"}, {"lang": "en", "type": "coordinator", "value": "VulDB"}], "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 4.8, "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P"}}, {"cvssV3_1": {"version": "3.1", "baseScore": 2.4, "baseSeverity": "LOW", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R"}}, {"cvssV3_0": {"version": "3.0", "baseScore": 2.4, "baseSeverity": "LOW", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R"}}, {"cvssV2_0": {"version": "2.0", "baseScore": 3.3, "vectorString": "AV:N/AC:L/Au:M/C:N/I:P/A:N/E:POC/RL:ND/RC:UR"}}], "affected": [{"vendor": "Worksuite", "product": "HR, CRM and Project Management", "versions": [{"status": "affected", "version": "5.5.0"}, {"status": "affected", "version": "5.5.1"}, {"status": "affected", "version": "5.5.2"}, {"status": "affected", "version": "5.5.3"}, {"status": "affected", "version": "5.5.4"}, {"status": "affected", "version": "5.5.5"}, {"status": "affected", "version": "5.5.6"}, {"status": "affected", "version": "5.5.7"}, {"status": "affected", "version": "5.5.8"}, {"status": "affected", "version": "5.5.9"}, {"status": "affected", "version": "5.5.10"}, {"status": "affected", "version": "5.5.11"}, {"status": "affected", "version": "5.5.12"}, {"status": "affected", "version": "5.5.13"}, {"status": "affected", "version": "5.5.14"}, {"status": "affected", "version": "5.5.15"}, {"status": "affected", "version": "5.5.16"}, {"status": "affected", "version": "5.5.17"}, {"status": "affected", "version": "5.5.18"}, {"status": "affected", "version": "5.5.19"}, {"status": "affected", "version": "5.5.20"}, {"status": "affected", "version": "5.5.21"}, {"status": "affected", "version": "5.5.22"}, {"status": "affected", "version": "5.5.23"}, {"status": "affected", "version": "5.5.24"}, {"status": "affected", "version": "5.5.25"}]}], "timeline": [{"lang": "en", "time": "2026-03-14T00:00:00.000Z", "value": "Advisory disclosed"}, {"lang": "en", "time": "2026-03-14T01:00:00.000Z", "value": "VulDB entry created"}, {"lang": "en", "time": "2026-03-14T13:32:34.000Z", "value": "VulDB entry last update"}], "references": [{"url": "https://vuldb.com/?id.351072", "name": "VDB-351072 | Worksuite HR, CRM and Project Management create cross site scripting", "tags": ["vdb-entry", "technical-description"]}, {"url": "https://vuldb.com/?ctiid.351072", "name": "VDB-351072 | CTI Indicators (IOB, IOC, TTP, IOA)", "tags": ["signature", "permissions-required"]}, {"url": "https://vuldb.com/?submit.769430", "name": "Submit #769430 | WORKSUITE WORKSUITE - HR, CRM and Project Management v5.5.25 Cross Site Scripting", "tags": ["third-party-advisory"]}], "descriptions": [{"lang": "en", "value": "A vulnerability has been found in Worksuite HR, CRM and Project Management up to 5.5.25. The affected element is an unknown function of the file /account/orders/create. The manipulation of the argument Client Note leads to cross site scripting. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "Cross Site Scripting"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-94", "description": "Code Injection"}]}], "providerMetadata": {"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "shortName": "VulDB", "dateUpdated": "2026-03-15T05:02:07.832Z"}}}, "cveMetadata": {"cveId": "CVE-2026-4165", "state": "PUBLISHED", "dateUpdated": "2026-03-17T13:45:03.502Z", "dateReserved": "2026-03-14T12:27:21.982Z", "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "datePublished": "2026-03-15T05:02:07.832Z", "assignerShortName": "VulDB"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "A vulnerability has been found in Worksuite HR, CRM and Project Management up to 5.5.25. The affected element is an unknown function of the file /account/orders/create. The manipulation of the argument Client Note leads to cross site scripting. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used."}, {"lang": "es", "value": "Se ha encontrado una vulnerabilidad en Worksuite HR, CRM y Project Management hasta la versi\u00f3n 5.5.25. El elemento afectado es una funci\u00f3n desconocida del archivo /account/orders/create. La manipulaci\u00f3n del argumento Client Note conduce a cross-site scripting. El ataque puede iniciarse remotamente. El exploit ha sido divulgado al p\u00fablico y puede ser utilizado."}], "id": "CVE-2026-4165", "lastModified": "2026-04-29T01:00:01.613", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "LOW", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "MULTIPLE", "availabilityImpact": "NONE", "baseScore": 3.3, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:M/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 6.4, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "cna@vuldb.com", "type": "Secondary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 2.4, "baseSeverity": "LOW", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 0.9, "impactScore": 1.4, "source": "cna@vuldb.com", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 1.9, "baseSeverity": "LOW", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "PROOF_OF_CONCEPT", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "HIGH", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "PASSIVE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "LOW", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "cna@vuldb.com", "type": "Secondary"}]}, "published": "2026-03-16T14:19:55.620", "references": [{"source": "cna@vuldb.com", "url": "https://vuldb.com/?ctiid.351072"}, {"source": "cna@vuldb.com", "url": "https://vuldb.com/?id.351072"}, {"source": "cna@vuldb.com", "url": "https://vuldb.com/?submit.769430"}], "sourceIdentifier": "cna@vuldb.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}, {"lang": "en", "value": "CWE-94"}], "source": "cna@vuldb.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "5.5.0"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "5.5.1"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "5.5.2"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "5.5.3"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "5.5.4"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "5.5.5"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "5.5.6"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "5.5.7"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "5.5.8"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "5.5.9"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "5.5.10"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "5.5.11"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "5.5.12"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "5.5.13"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "5.5.14"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "5.5.15"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "5.5.16"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "5.5.17"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "5.5.18"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "5.5.19"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "5.5.20"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "5.5.21"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "5.5.22"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "5.5.23"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "5.5.24"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "5.5.25"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "HR, CRM and Project Management", "source": "cna", "vendor": "Worksuite"}, "product": "hr,_crm_and_project_management", "vendor": "worksuite"}], "analysis": {"en": {"generated_at": "2026-03-17T17:18:08.468277+00:00", "value": {"mitigation_remediation": ["Verify the version of Worksuite HR, CRM and Project Management; if it is 5.5.25 or older, you must upgrade to a newer, patched release.", "If a patch is not yet available, contact Worksuite support for guidance on applying a temporary fix or request a security patch.", "Consider disabling or restricting the Client Note input for the /account/orders/create endpoint until a patch can be applied.", "Implement an input\u2011validation filter or a web\u2011application firewall rule that blocks or sanitizes scripts submitted through the Client Note field as an interim measure."], "summary": {"action": "Patch", "impact": "Cross\u2011Site Scripting attacker could inject malicious script via the Client Note field"}, "threat_synthesis": {"affected_systems": "Worksuite HR, CRM and Project Management products up to version 5.5.25 are vulnerable. The affected version information is explicitly stated as \"up to 5.5.25\"; no later versions have been reported to contain the issue.", "description_and_impact": "A vulnerability exists in Worksuite HR, CRM and Project Management, affecting an unknown function within the /account/orders/create file. Manipulating the argument Client Note allows the attacker to inject arbitrary JavaScript, creating a cross\u2011site scripting (XSS) flaw. The weakness, identified as CWE\u201179, could enable a remote attacker to execute code in the context of authenticated users, potentially leading to session hijacking, data theft, or defacement. The vulnerability is specified to be exploitable from a remote location, indicating that an unauthenticated user can trigger it by sending crafted input to the affected endpoint.", "risk_and_exploitability": "The CVSS score of 4.8 indicates moderate severity. The EPSS score is below 1%, suggesting a low likelihood of current exploitation in the wild, and the vulnerability is not listed in the CISA KEV catalog. While the attack vector is remote, the description implies that exploitation requires crafting a payload delivered via the Client Note field. No public exploit code is yet documented, but the flaw has been disclosed and may be used once patched or mitigated."}}}}, "created": "2026-03-16T09:22:09.894746+00:00", "updated": "2026-03-23T14:02:03.828547+00:00", "vendors": ["worksuite", "worksuite$PRODUCT$hr,_crm_and_project_management"]}