PatchSiren cyber security CVE debrief
CVE-2026-42558 xibosignage CVE debrief
CVE-2026-42558 is a vulnerability in the Xibo digital signage platform, which allows users with DataSet permissions to craft malicious messages via the Data Connector functionality. This vulnerability, with a CVSS score of 7.6, was published on 2026-06-10T23:16:46.263Z and modified on 2026-06-11T15:30:51.693Z. The vulnerability is a combination of Stored XSS and Iframe Sandbox escape, enabling attackers to execute malicious scripts and escape the sandbox. To remediate, users should upgrade to version 4.4.2 of Xibo.
- Vendor
- xibosignage
- Product
- xibo-cms
- CVSS
- HIGH 7.6
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-10
- Original CVE updated
- 2026-06-11
- Advisory published
- 2026-06-10
- Advisory updated
- 2026-06-11
Who should care
Users of Xibo digital signage platform, especially those with DataSet permissions, should be aware of this vulnerability and take necessary actions to remediate.
Technical summary
The vulnerability is caused by a combination of Stored XSS and Iframe Sandbox escape in the Xibo CMS. Users with DataSet permissions can use the Data Connector functionality to craft messages that escape the sandbox and facilitate XSS.
Defensive priority
HIGH
Recommended defensive actions
- Upgrade to version 4.4.2 of Xibo to fix the vulnerability.
- Revoke DataSet permissions from untrusted users.
Evidence notes
The vulnerability is confirmed by the CVE record [cve-org] and detailed in the NVD [nvd].
Official resources
-
CVE-2026-42558 CVE record
CVE.org
-
CVE-2026-42558 NVD detail
NVD
-
Source item URL
nvd_modified
- Source reference
CVE-2026-42558 was published on 2026-06-10T23:16:46.263Z and modified on 2026-06-11T15:30:51.693Z.