CVE-2026-26460

CVE-2026-26460

MEDIUM CVSS 3.1: 6.1 EPSS 0.03%

Parameter	Value
CVSS	6.1 (MEDIUM)
Type	CWE-80 (Improper Neutralization of Script-Related HTML Tags (XSS))
Public PoC	No

A HTML Injection vulnerability exists in the Dashboard module of Vtiger CRM 8.4.0. The application fails to properly neutralize user-supplied input in the tabid parameter of the DashBoardTab view (getTabContents action), allowing an attacker to inject arbitrary HTML content into the dashboard interface. The injected content is rendered in the victim's browser

Attack Parameters

Attack Vector

Network

Can be exploited remotely

Attack Complexity

Low

Easy to exploit

Privileges Required

None

No privileges needed

User Interaction

Required

User action required

Impact Assessment

Confidentiality

Low

Partial data leak

Integrity

Low

Partial data modification

Availability

None

No disruption

CVSS Vector v3.1

Weakness Type (CWE)

CWE-80 Improper Neutralization of Script-Related HTML Tags (XSS)

References 2

https://www.simonjuguna.com/cve-2026-26460-html-injection-vulnerability-in-vtig…

cve@mitre.org

https://www.vtiger.com/open-source-crm/

cve@mitre.org

Share Post Share Share Share

Menu

Attack Parameters

Impact Assessment

CVSS Vector v3.1

Weakness Type (CWE)

References 2

CVE Details

Editor's Choice

Menu

CVE-2026-26460

Attack Parameters

Impact Assessment

CVSS Vector v3.1

Weakness Type (CWE)

References 2

CVE Details

Editor's Choice

Stay informed on cybersecurity