{"dataType": "CVE_RECORD", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2026-26460", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "dateUpdated": "2026-04-15T15:36:23.365Z", "dateReserved": "2026-02-16T00:00:00.000Z", "datePublished": "2026-04-13T00:00:00.000Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2026-04-13T20:45:52.241Z"}, "descriptions": [{"lang": "en", "value": "A HTML Injection vulnerability exists in the Dashboard module of Vtiger CRM 8.4.0. The application fails to properly neutralize user-supplied input in the tabid parameter of the DashBoardTab view (getTabContents action), allowing an attacker to inject arbitrary HTML content into the dashboard interface. The injected content is rendered in the victim's browser"}], "affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"version": "n/a", "status": "affected"}]}], "references": [{"url": "https://www.vtiger.com/open-source-crm/"}, {"url": "https://www.simonjuguna.com/cve-2026-26460-html-injection-vulnerability-in-vtiger-open-source-edition-v8-4-0/"}], "problemTypes": [{"descriptions": [{"type": "text", "lang": "en", "description": "n/a"}]}]}, "adp": [{"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-80", "lang": "en", "description": "CWE-80 Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)"}]}], "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 6.1, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-04-15T15:34:06.690915Z", "id": "CVE-2026-26460", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-15T15:36:23.365Z"}}]}, "dataVersion": "5.2"}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 6.1, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-26460", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-15T15:34:06.690915Z"}}}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-80", "description": "CWE-80 Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-15T15:36:17.688Z"}}], "cna": {"affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "references": [{"url": "https://www.vtiger.com/open-source-crm/"}, {"url": "https://www.simonjuguna.com/cve-2026-26460-html-injection-vulnerability-in-vtiger-open-source-edition-v8-4-0/"}], "descriptions": [{"lang": "en", "value": "A HTML Injection vulnerability exists in the Dashboard module of Vtiger CRM 8.4.0. The application fails to properly neutralize user-supplied input in the tabid parameter of the DashBoardTab view (getTabContents action), allowing an attacker to inject arbitrary HTML content into the dashboard interface. The injected content is rendered in the victim's browser"}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "text", "description": "n/a"}]}], "providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2026-04-13T20:45:52.241Z"}}}, "cveMetadata": {"cveId": "CVE-2026-26460", "state": "PUBLISHED", "dateUpdated": "2026-04-15T15:36:23.365Z", "dateReserved": "2026-02-16T00:00:00.000Z", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "datePublished": "2026-04-13T00:00:00.000Z", "assignerShortName": "mitre"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "A HTML Injection vulnerability exists in the Dashboard module of Vtiger CRM 8.4.0. The application fails to properly neutralize user-supplied input in the tabid parameter of the DashBoardTab view (getTabContents action), allowing an attacker to inject arbitrary HTML content into the dashboard interface. The injected content is rendered in the victim's browser"}], "id": "CVE-2026-26460", "lastModified": "2026-04-15T16:16:34.810", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.7, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-04-13T21:16:24.020", "references": [{"source": "cve@mitre.org", "url": "https://www.simonjuguna.com/cve-2026-26460-html-injection-vulnerability-in-vtiger-open-source-edition-v8-4-0/"}, {"source": "cve@mitre.org", "url": "https://www.vtiger.com/open-source-crm/"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-80"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "8.4.0"}}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "n/a", "source": "cna", "vendor": "n/a"}, "product": "crm", "vendor": "vtiger"}], "analysis": {"en": {"generated_at": "2026-04-16T02:35:58.850973+00:00", "value": {"mitigation_remediation": ["Apply the vendor\u2019s latest patch to Vtiger CRM or upgrade to a version that addresses the Dashboard module issue.", "If a patch is unavailable, limit access to the Dashboard module or the tabid parameter to users with strictly necessary privileges.", "Implement server\u2011side sanitization of the tabid parameter and ensure all output is properly escaped before rendering.", "Deploy a strict Content Security Policy to block execution of inline or unknown scripts.", "Monitor dashboard pages for unexpected HTML content and review logs for suspicious activity."], "summary": {"action": "Immediate Patch", "impact": "Cross\u2011Site Scripting"}, "threat_synthesis": {"affected_systems": "Vtiger CRM (open\u2011source edition) version 8.4.0. The vulnerability is located in the DashBoardTab view during the getTabContents action and only this version is confirmed to be affected. No other versions are listed in the available data.", "description_and_impact": "A failure to neutralize user\u2011supplied input in the tabid parameter of Vtiger CRM\u2019s Dashboard module allows an attacker to inject arbitrary HTML content that is rendered directly in the victim\u2019s browser. The injected code runs with the privileges of the user viewing the dashboard, enabling actions such as cookie theft, session hijacking, phishing, or defacement. The flaw is a classic cross\u2011site scripting vulnerability arising from improper output encoding.", "risk_and_exploitability": "The CVSS score is 6.1, EPSS score is <1%, and the vulnerability is not listed in CISA\u2019s KEV catalog. The low EPSS score suggests that exploitation is unlikely in the near term, although the flaw remains a medium\u2011severity XSS risk if an attacker manages to supply a malicious tabid parameter. The impact on confidentiality, integrity, and availability remains significant for authenticated users who can view the dashboard."}}}}, "created": "2026-04-14T16:21:41.398771+00:00", "updated": "2026-04-16T02:45:06.082380+00:00", "vendors": ["vtiger", "vtiger$PRODUCT$crm"]}