๐Ÿ›ก๏ธ CVE-2026-3107
๐ŸŸก CVSS 5.4 โ€” Medium โœ… No Known Exploit CWE-79 NVD
5.4
CVSS Score
0 Low4 Medium7 High9 Critical10

Description

Stored Cross-Site Scripting (XSS) in Teampass versions prior to 3.1.5.16, affecting the password manager's password import functionality at the endpoint 'redacted/index.php?page=items'. The application fails to properly sanitize and encode user-input data during the import process, allowing malicious JavaScript payloads to be persistently stored in the database. When other users view the imported passwords, the payload is automatically executed in their browsers, resulting in a stored XSS condition at the endpoint 'redacted/index.php?page=items'. Exploiting this vulnerability allows an attacker to execute arbitrary JavaScript code in the context of multiple users and the administrator, which can lead to session hijacking, credential theft, privilege abuse, and compromise of application integrity.

Details

Severity MEDIUM
CVSS Score 5.4
CVSS Vector CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
CWE CWE-79
Public Exploit โœ… No
Source NVD
Published 2026-03-31
Updated 2026-06-02
Modified 2026-04-07
Fix URL N/A

Affected Packages

Software From version Fixed in
teampass 3.1.5.16 3.1.5.24

Similar Threats

Free Vulnerability Check

Is your WordPress site affected?

BotEraser helps you identify potentially vulnerable plugins and themes by checking your installation against known CVE records.

Scan My Site Free โ†’

No credit card required  ยท  Results in minutes

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the vulnerabilities listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.