{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-32963", "assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce", "state": "PUBLISHED", "assignerShortName": "jpcert", "dateReserved": "2026-03-17T00:23:24.981Z", "datePublished": "2026-04-20T03:18:07.431Z", "dateUpdated": "2026-04-20T14:04:22.838Z"}, "containers": {"cna": {"affected": [{"vendor": "silex technology, Inc.", "product": "SD-330AC", "versions": [{"version": "Ver.1.42 and earlier", "status": "affected"}]}, {"vendor": "silex technology, Inc.", "product": "AMC Manager", "versions": [{"version": "Ver.5.0.2 and earlier", "status": "affected"}]}], "descriptions": [{"lang": "en", "value": "SD-330AC and AMC Manager provided by silex technology, Inc. contain a reflected cross-site scripting vulnerability. When a user logs in to the affected device and access some crafted web page, arbitrary script may be executed on the user's browser."}], "problemTypes": [{"descriptions": [{"description": "Cross-site scripting (XSS)", "lang": "en-US", "cweId": "CWE-79", "type": "CWE"}]}], "references": [{"url": "https://www.silex.jp/support/security-advisories/en/2026-001"}, {"url": "https://www.silex.jp/support/security-advisories/2026-001"}, {"url": "https://jvn.jp/en/vu/JVNVU94271449/"}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en-US", "value": "GENERAL"}], "cvssV3_0": {"version": "3.0", "baseSeverity": "MEDIUM", "baseScore": 6.1, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"}}, {"format": "CVSS", "scenarios": [{"lang": "en-US", "value": "GENERAL"}], "cvssV4_0": {"version": "4.0", "baseSeverity": "MEDIUM", "baseScore": 5.1, "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N"}}], "providerMetadata": {"orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce", "shortName": "jpcert", "dateUpdated": "2026-04-20T03:18:07.431Z"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-20T14:04:14.460369Z", "id": "CVE-2026-32963", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-20T14:04:22.838Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-32963", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-20T14:04:14.460369Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-20T14:04:18.621Z"}}], "cna": {"metrics": [{"format": "CVSS", "cvssV3_0": {"version": "3.0", "baseScore": 6.1, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"}, "scenarios": [{"lang": "en-US", "value": "GENERAL"}]}, {"format": "CVSS", "cvssV4_0": {"version": "4.0", "baseScore": 5.1, "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N"}, "scenarios": [{"lang": "en-US", "value": "GENERAL"}]}], "affected": [{"vendor": "silex technology, Inc.", "product": "SD-330AC", "versions": [{"status": "affected", "version": "Ver.1.42 and earlier"}]}, {"vendor": "silex technology, Inc.", "product": "AMC Manager", "versions": [{"status": "affected", "version": "Ver.5.0.2 and earlier"}]}], "references": [{"url": "https://www.silex.jp/support/security-advisories/en/2026-001"}, {"url": "https://www.silex.jp/support/security-advisories/2026-001"}, {"url": "https://jvn.jp/en/vu/JVNVU94271449/"}], "descriptions": [{"lang": "en", "value": "SD-330AC and AMC Manager provided by silex technology, Inc. contain a reflected cross-site scripting vulnerability. When a user logs in to the affected device and access some crafted web page, arbitrary script may be executed on the user's browser."}], "problemTypes": [{"descriptions": [{"lang": "en-US", "type": "CWE", "cweId": "CWE-79", "description": "Cross-site scripting (XSS)"}]}], "providerMetadata": {"orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce", "shortName": "jpcert", "dateUpdated": "2026-04-20T03:18:07.431Z"}}}, "cveMetadata": {"cveId": "CVE-2026-32963", "state": "PUBLISHED", "dateUpdated": "2026-04-20T14:04:22.838Z", "dateReserved": "2026-03-17T00:23:24.981Z", "assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce", "datePublished": "2026-04-20T03:18:07.431Z", "assignerShortName": "jpcert"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "SD-330AC and AMC Manager provided by silex technology, Inc. contain a reflected cross-site scripting vulnerability. When a user logs in to the affected device and access some crafted web page, arbitrary script may be executed on the user's browser."}], "id": "CVE-2026-32963", "lastModified": "2026-04-20T19:05:30.750", "metrics": {"cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.0"}, "exploitabilityScore": 2.8, "impactScore": 2.7, "source": "vultures@jpcert.or.jp", "type": "Secondary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 5.1, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "LOW", "subIntegrityImpact": "LOW", "userInteraction": "ACTIVE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "vultures@jpcert.or.jp", "type": "Secondary"}]}, "published": "2026-04-20T04:16:44.987", "references": [{"source": "vultures@jpcert.or.jp", "url": "https://jvn.jp/en/vu/JVNVU94271449/"}, {"source": "vultures@jpcert.or.jp", "url": "https://www.silex.jp/support/security-advisories/2026-001"}, {"source": "vultures@jpcert.or.jp", "url": "https://www.silex.jp/support/security-advisories/en/2026-001"}], "sourceIdentifier": "vultures@jpcert.or.jp", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "vultures@jpcert.or.jp", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,5.0.2]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "manual", "scores": [{"score": 100.0, "source": "manual"}]}, "original": {"product": "AMC Manager", "source": "cna", "vendor": "silex technology, Inc."}, "product": "amc_manager", "vendor": "silextechnology"}, {"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,1.42]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "manual", "scores": [{"score": 100.0, "source": "manual"}]}, "original": {"product": "SD-330AC", "source": "cna", "vendor": "silex technology, Inc."}, "product": "sd-330ac", "vendor": "silextechnology"}], "analysis": {"en": {"generated_at": "2026-04-20T05:51:56.033635+00:00", "value": {"mitigation_remediation": ["Install the latest firmware update for the SD\u2011330AC and AMC Manager devices as published by silex technology, Inc. (reference report https://www.silex.jp/support/security-advisories/2026-001).", "If immediate update is not possible, configure the devices\u2019 web interface to enforce a strict Content\u2011Security\u2011Policy that disallows inline scripts and restricts script sources to trusted origins.", "Implement input sanitization on any user\u2011generated content displayed by the device, ensuring that output is properly escaped for HTML contexts to eliminate reflected script payloads.", "Consider disabling or limiting the affected functions that render user input until the patch is applied."], "summary": {"action": "Apply Patch", "impact": "Reflected Cross\u2011Site Scripting"}, "threat_synthesis": {"affected_systems": "The flaw exists in the SD\u2011330AC and AMC Manager appliances from silex technology, Inc. No specific vulnerable version ranges are publicly disclosed, so all deployed units should be considered at risk until a vendor patch is applied.", "description_and_impact": "The vulnerability is a reflected cross\u2011site scripting flaw that allows arbitrary JavaScript to run in a logged\u2011in user's browser when they visit a specially crafted page. The description does not specify additional consequences beyond the execution of that script in the browser context.", "risk_and_exploitability": "The CVSS v3.1 score of 5.1 indicates moderate severity, and the EPSS score is not available, so we cannot quantify current exploitation probability. The vulnerability is not listed in the CISA KEV catalog. Based on the description, it is inferred that attackers would need a legitimate authenticated user who has accessed the device to load a crafted URL; once loaded, the injected script runs in the context of that user's browser, exploiting trust in the device\u2019s UI."}}}}, "created": "2026-04-20T06:00:08.100392+00:00", "title": "Reflected Cross\u2011Site Scripting via Crafted Web Pages", "updated": "2026-04-20T14:58:21.449301+00:00", "vendors": ["silextechnology", "silextechnology$PRODUCT$amc_manager", "silextechnology$PRODUCT$sd-330ac"]}