PatchSiren cyber security CVE debrief

CVE-2016-9260 Tenable CVE debrief

CVE-2016-9260 is a cross-site scripting (XSS) issue in Tenable Nessus that affects releases before 6.9. The vulnerability allows a remote authenticated user to inject arbitrary web script or HTML through handling of .nessus files. NVD maps the issue to CWE-79 and rates it as a medium-severity problem with network access, low privileges, required user interaction, and limited confidentiality and integrity impact.

Vendor: Tenable
Product: CVE-2016-9260
CVSS: MEDIUM 5.4
CISA KEV: Not listed in stored evidence
Original CVE published: 2017-01-31
Original CVE updated: 2026-05-13
Advisory published: 2017-01-31
Advisory updated: 2026-05-13

Who should care

Security teams operating Tenable Nessus, especially environments where authenticated users can upload, import, or otherwise process .nessus files. Administrators responsible for scanner management, report workflows, and web-based Nessus interfaces should prioritize review and patch verification.

Technical summary

The published data describes a stored or reflected XSS condition in Nessus-related handling of .nessus files. NVD associates the issue with CWE-79 and the CVSS 3.0 vector AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N, indicating that exploitation is reachable over the network, requires low privileges and user interaction, and can affect the scope beyond the vulnerable component. The supplied NVD CPE criteria mark Nessus versions up to 6.8.1 as vulnerable, while the textual description states 'before 6.9.'

Defensive priority

Moderate. This is not marked as known-exploited in the supplied enrichment, but it is a real authenticated XSS issue in a security product and should be patched promptly because successful injection could expose session data or alter trusted content within administrative workflows.

Recommended defensive actions

Upgrade Tenable Nessus to a fixed release at or above 6.9, or the latest supported version available in your environment.
Review workflows that import or display .nessus files and treat file-derived content as untrusted input.
Validate that any web UI output associated with scan files is properly encoded and sanitized after patching.
Limit Nessus administrative access to trusted users and enforce least privilege for accounts that can upload or import content.
Confirm remediation by checking deployed Nessus version against vendor guidance and by reviewing the affected version range in the NVD record.

Evidence notes

All statements here are derived from the supplied CVE/NVD corpus: published date 2017-01-31, description of XSS in Nessus before 6.9, NVD CVSS vector AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N, CWE-79 mapping, and NVD CPE criteria showing vulnerable Nessus versions through 6.8.1. Reference URLs in the corpus include the Tenable advisory and third-party advisories, but their page contents were not assumed beyond the metadata provided.

Official resources

CVE-2016-9260 CVE record
CVE.org
CVE-2016-9260 NVD detail
NVD
Source item URL
nvd_modified
Mitigation or vendor reference
[email protected] - Third Party Advisory, VDB Entry
Mitigation or vendor reference
[email protected] - Third Party Advisory, VDB Entry
Mitigation or vendor reference
[email protected] - Third Party Advisory, VDB Entry
Mitigation or vendor reference
[email protected] - Vendor Advisory

Publicly disclosed on 2017-01-31. No Known Exploited Vulnerabilities entry was provided in the supplied enrichment.