{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-4794", "assignerOrgId": "eb41dac7-0af8-4f84-9f6d-0272772514f4", "state": "PUBLISHED", "assignerShortName": "PaperCut", "dateReserved": "2026-03-25T00:52:13.130Z", "datePublished": "2026-03-31T00:39:56.135Z", "dateUpdated": "2026-03-31T14:03:59.735Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "eb41dac7-0af8-4f84-9f6d-0272772514f4", "shortName": "PaperCut", "dateUpdated": "2026-03-31T00:39:56.135Z"}, "title": "Multiple cross-site scripting (XSS) vulnerabilities in PaperCut NG/MF", "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-79", "description": "CWE-79 Improper neutralization of input during web page generation ('cross-site scripting')", "type": "CWE"}]}], "impacts": [{"capecId": "CAPEC-591", "descriptions": [{"lang": "en", "value": "CAPEC-591 Reflected XSS"}]}, {"capecId": "CAPEC-592", "descriptions": [{"lang": "en", "value": "CAPEC-592 Stored XSS"}]}, {"capecId": "CAPEC-63", "descriptions": [{"lang": "en", "value": "CAPEC-63 Cross-Site Scripting (XSS)"}]}], "affected": [{"vendor": "PaperCut", "product": "PaperCut NG/MF", "platforms": ["Windows", "MacOS", "Linux"], "versions": [{"status": "affected", "version": "0", "lessThan": "25.0.10", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "Multiple cross-site scripting (XSS) vulnerabilities in PaperCut NG/MF before 25.0.10\u00a0allow authenticated administrator users to inject arbitrary web script or HTML code via different UI fields. This could be used to compromise other admininistrator's sessions or perform unauthorized actions via the administrator's authenticated context (e.g. requires an active login session).", "supportingMedia": [{"type": "text/html", "base64": false, "value": "Multiple cross-site scripting (XSS) vulnerabilities in PaperCut NG/MF before 25.0.10 allow authenticated administrator users to inject arbitrary web script or HTML code via different UI fields. This could be used to compromise other admininistrator's sessions or perform unauthorized actions via the administrator's authenticated context (e.g. requires an active login session)."}]}], "references": [{"url": "https://www.papercut.com/kb/Main/papercut-ng-mf-security-bulletin-march-2026/"}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "LOW", "userInteraction": "PASSIVE", "vulnConfidentialityImpact": "NONE", "subConfidentialityImpact": "LOW", "vulnIntegrityImpact": "NONE", "subIntegrityImpact": "LOW", "vulnAvailabilityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "version": "4.0", "baseSeverity": "LOW", "baseScore": 2.1, "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N"}}], "source": {"discovery": "EXTERNAL"}, "x_generator": {"engine": "Vulnogram 1.0.1"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-31T14:03:53.639112Z", "id": "CVE-2026-4794", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-31T14:03:59.735Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-4794", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-31T14:03:53.639112Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-31T14:03:56.164Z"}}], "cna": {"title": "Multiple cross-site scripting (XSS) vulnerabilities in PaperCut NG/MF", "source": {"discovery": "EXTERNAL"}, "impacts": [{"capecId": "CAPEC-591", "descriptions": [{"lang": "en", "value": "CAPEC-591 Reflected XSS"}]}, {"capecId": "CAPEC-592", "descriptions": [{"lang": "en", "value": "CAPEC-592 Stored XSS"}]}, {"capecId": "CAPEC-63", "descriptions": [{"lang": "en", "value": "CAPEC-63 Cross-Site Scripting (XSS)"}]}], "metrics": [{"format": "CVSS", "cvssV4_0": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 2.1, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "LOW", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "PASSIVE", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "LOW", "subIntegrityImpact": "LOW", "vulnIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "LOW", "vulnConfidentialityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "PaperCut", "product": "PaperCut NG/MF", "versions": [{"status": "affected", "version": "0", "lessThan": "25.0.10", "versionType": "semver"}], "platforms": ["Windows", "MacOS", "Linux"], "defaultStatus": "unaffected"}], "references": [{"url": "https://www.papercut.com/kb/Main/papercut-ng-mf-security-bulletin-march-2026/"}], "x_generator": {"engine": "Vulnogram 1.0.1"}, "descriptions": [{"lang": "en", "value": "Multiple cross-site scripting (XSS) vulnerabilities in PaperCut NG/MF before 25.0.10\u00a0allow authenticated administrator users to inject arbitrary web script or HTML code via different UI fields. This could be used to compromise other admininistrator's sessions or perform unauthorized actions via the administrator's authenticated context (e.g. requires an active login session).", "supportingMedia": [{"type": "text/html", "value": "Multiple cross-site scripting (XSS) vulnerabilities in PaperCut NG/MF before 25.0.10 allow authenticated administrator users to inject arbitrary web script or HTML code via different UI fields. This could be used to compromise other admininistrator's sessions or perform unauthorized actions via the administrator's authenticated context (e.g. requires an active login session).", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79 Improper neutralization of input during web page generation ('cross-site scripting')"}]}], "providerMetadata": {"orgId": "eb41dac7-0af8-4f84-9f6d-0272772514f4", "shortName": "PaperCut", "dateUpdated": "2026-03-31T00:39:56.135Z"}}}, "cveMetadata": {"cveId": "CVE-2026-4794", "state": "PUBLISHED", "dateUpdated": "2026-03-31T14:03:59.735Z", "dateReserved": "2026-03-25T00:52:13.130Z", "assignerOrgId": "eb41dac7-0af8-4f84-9f6d-0272772514f4", "datePublished": "2026-03-31T00:39:56.135Z", "assignerShortName": "PaperCut"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:papercut:papercut_mf:*:*:*:*:*:*:*:*", "matchCriteriaId": "CBDB4B03-5DFF-4983-94F4-27097E8DE93D", "versionEndExcluding": "25.0.10", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:papercut:papercut_ng:*:*:*:*:*:*:*:*", "matchCriteriaId": "C3318324-1141-474E-8AC9-75304DE81432", "versionEndExcluding": "25.0.10", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Multiple cross-site scripting (XSS) vulnerabilities in PaperCut NG/MF before 25.0.10\u00a0allow authenticated administrator users to inject arbitrary web script or HTML code via different UI fields. This could be used to compromise other admininistrator's sessions or perform unauthorized actions via the administrator's authenticated context (e.g. requires an active login session)."}, {"lang": "es", "value": "M\u00faltiples vulnerabilidades de cross-site scripting (XSS) en PaperCut NG/MF anteriores a la versi\u00f3n 25.0.10 permiten a usuarios administradores autenticados inyectar scripts web o c\u00f3digo HTML arbitrarios a trav\u00e9s de diferentes campos de la interfaz de usuario. Esto podr\u00eda usarse para comprometer las sesiones de otros administradores o realizar acciones no autorizadas a trav\u00e9s del contexto autenticado del administrador (por ejemplo, requiere una sesi\u00f3n de inicio de sesi\u00f3n activa)."}], "id": "CVE-2026-4794", "lastModified": "2026-04-03T18:15:05.340", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.8, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 1.7, "impactScore": 2.7, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 2.1, "baseSeverity": "LOW", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "LOW", "subIntegrityImpact": "LOW", "userInteraction": "PASSIVE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "eb41dac7-0af8-4f84-9f6d-0272772514f4", "type": "Secondary"}]}, "published": "2026-03-31T01:16:36.743", "references": [{"source": "eb41dac7-0af8-4f84-9f6d-0272772514f4", "tags": ["Vendor Advisory"], "url": "https://www.papercut.com/kb/Main/papercut-ng-mf-security-bulletin-march-2026/"}], "sourceIdentifier": "eb41dac7-0af8-4f84-9f6d-0272772514f4", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "eb41dac7-0af8-4f84-9f6d-0272772514f4", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": ["windows", "macos", "linux"], "status": "affected", "versions": {"scheme": "semver", "value": "[0,25.0.10)"}}], "enrichment": {"confidence": 93.0, "confidence_source": "matching", "scores": [{"score": 93.0, "source": "matching"}]}, "original": {"product": "PaperCut NG/MF", "source": "cna", "vendor": "PaperCut"}, "product": "papercut_mf", "vendor": "papercut"}], "analysis": {"en": {"generated_at": "2026-04-03T21:28:04.273388+00:00", "value": {"mitigation_remediation": ["Upgrade PaperCut NG and PaperCut MF to version 25.0.10 or later", "If an immediate upgrade is not possible, restrict or disable the UI fields that accept user input to prevent injection, or apply a content security policy to mitigate XSS", "Verify that your system is running a patched version and monitor logs for suspicious scripts or unauthorized admin actions", "Stay updated with vendor advisories for any additional fixes or guidance"], "summary": {"action": "Patch Now", "impact": "Cross\u2011Site Scripting that enables session hijacking and unauthorized actions for authenticated administrators"}, "threat_synthesis": {"affected_systems": "Users of PaperCut NG and PaperCut MF who are running any release before 25.0.10 are vulnerable. The flaws appear in UI fields where administrators can enter scripts or markup and affect only users with administrative rights; guest or normal users are not impacted.", "description_and_impact": "Multiple cross\u2011site scripting (XSS) flaws exist in the management interface of PaperCut NG and PaperCut MF prior to version 25.0.10. These bugs allow an authenticated administrator to inject arbitrary JavaScript or HTML into various input fields, and the injected code runs in the context of other administrator sessions. The attacker can hijack sessions, deface the interface, or perform actions normally restricted to administrative privileges.", "risk_and_exploitability": "The overall risk is low, with a CVSS score of 2.1 and an EPSS below 1%, and the vulnerability is not listed in CISA\u2019s KEV catalog. Nevertheless, because it requires an active administrator session, attackers who compromise or socially engineer an admin account could gain additional control over the system. No public exploits have been reported, but the attack path is straightforward once an admin account is compromised."}}}}, "created": "2026-03-31T19:56:46.124704+00:00", "updated": "2026-04-07T08:08:19.722641+00:00", "vendors": ["papercut", "papercut$PRODUCT$papercut_mf"]}