CVE-2026-31952

April 24, 2026, 2:50 p.m.

7.6
High

Description

Xibo is an open source digital signage platform with a web content management system and Windows display player software. Versions 1.7 through 4.4.0 have an SQL injection vulnerability in the API routes inside the CMS responsible for Filtering DataSets. This allows an authenticated user to to obtain and modify arbitrary data from the Xibo database by injecting specially crafted values in to the API filter parameter. Exploitation of the vulnerability is possible on behalf of an authorized user who has either of the `Access to DataSet Feature` privilege or the `Access to the Layout Feature` privilege. Users should upgrade to version 4.4.1 which fixes this issue. Customers who host their CMS with Xibo Signage have been patched if they are using 4.4, 4.3, 3.3, 2.3 or 1.8. Upgrading to a fixed version is necessary to remediate. Patches are available for earlier versions of Xibo CMS that are out of support, namely 3.3, 2.3, and 1.8.

Product(s) Impacted

Vendor Product Versions
Xibo
  • Xibo
  • 1.7, 4.4.0, 4.4.1, 3.3, 2.3, 1.8

Weaknesses

Common security weaknesses mapped to this vulnerability.

CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component.

*CPE(s)

Affected systems and software identified for this CVE.

Type Vendor Product Version Update Edition Language Software Edition Target Software Target Hardware Other Information
a xibo xibo 1.7 / / / / / / /
a xibo xibo 4.4.0 / / / / / / /
a xibo xibo 4.4.1 / / / / / / /
a xibo xibo 3.3 / / / / / / /
a xibo xibo 2.3 / / / / / / /
a xibo xibo 1.8 / / / / / / /

References

https://github.com/dasgarner/xibo-cms/commit/b8d25fe6cb0232b645c3850afdc2499b0e46c1e6
https://github.com/xibosignage/xibo-cms/commit/87e0a26b0c06e349561a6becdc00f3bb01259736
https://github.com/xibosignage/xibo-cms/commit/ed213cb4f42d4f50cf8012e01e95bb70127fc6a4
https://github.com/xibosignage/xibo-cms/releases/tag/4.4.1
https://github.com/xibosignage/xibo-cms/security/advisories/GHSA-rq92-f6fv-3629

Tags

[email protected]
CWE-89
2026-04-24
CVE-2026-31952

CVSS Score

7.6 / 10

CVSS Data - 3.1

  • Attack Vector: NETWORK
  • Attack Complexity: LOW
  • Privileges Required: LOW
  • Scope: UNCHANGED
  • Confidentiality Impact: HIGH
  • Integrity Impact: LOW
  • Availability Impact: LOW

    • CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L

    View Vector String

Timeline

Published: April 24, 2026, 12:16 a.m.
Last Modified: April 24, 2026, 2:50 p.m.

Status : Undergoing Analysis

CVE has been recently published to the CVE List and has been received by the NVD.

More info

Source

[email protected]

*Disclaimer: Some vulnerabilities do not have an associated CPE. To enhance the data, we use AI to infer CPEs based on CVE details. This is an automated process and might not always be accurate.