{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-5332", "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "state": "PUBLISHED", "assignerShortName": "VulDB", "dateReserved": "2026-04-01T13:57:58.665Z", "datePublished": "2026-04-02T13:15:11.183Z", "dateUpdated": "2026-04-02T13:15:11.183Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "shortName": "VulDB", "dateUpdated": "2026-04-02T13:15:11.183Z"}, "title": "Xiaopi Panel WAF Firewall demo.php cross site scripting", "problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-79", "lang": "en", "description": "Cross Site Scripting"}]}, {"descriptions": [{"type": "CWE", "cweId": "CWE-94", "lang": "en", "description": "Code Injection"}]}], "affected": [{"vendor": "Xiaopi", "product": "Panel", "versions": [{"version": "1.0.0", "status": "affected"}], "modules": ["WAF Firewall"]}], "descriptions": [{"lang": "en", "value": "A vulnerability was identified in Xiaopi Panel 1.0.0. This vulnerability affects unknown code of the file /demo.php of the component WAF Firewall. The manipulation of the argument param leads to cross site scripting. Remote exploitation of the attack is possible. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way."}], "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 5.1, "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P", "baseSeverity": "MEDIUM"}}, {"cvssV3_1": {"version": "3.1", "baseScore": 3.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R", "baseSeverity": "LOW"}}, {"cvssV3_0": {"version": "3.0", "baseScore": 3.5, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R", "baseSeverity": "LOW"}}, {"cvssV2_0": {"version": "2.0", "baseScore": 4, "vectorString": "AV:N/AC:L/Au:S/C:N/I:P/A:N/E:POC/RL:ND/RC:UR"}}], "timeline": [{"time": "2026-04-01T00:00:00.000Z", "lang": "en", "value": "Advisory disclosed"}, {"time": "2026-04-01T02:00:00.000Z", "lang": "en", "value": "VulDB entry created"}, {"time": "2026-04-01T16:03:05.000Z", "lang": "en", "value": "VulDB entry last update"}], "credits": [{"lang": "en", "value": "Customer (VulDB User)", "type": "reporter"}, {"lang": "en", "value": "VulDB CNA Team", "type": "coordinator"}], "references": [{"url": "https://vuldb.com/vuln/354666", "name": "VDB-354666 | Xiaopi Panel WAF Firewall demo.php cross site scripting", "tags": ["vdb-entry", "technical-description"]}, {"url": "https://vuldb.com/vuln/354666/cti", "name": "VDB-354666 | CTI Indicators (IOB, IOC, TTP, IOA)", "tags": ["signature", "permissions-required"]}, {"url": "https://vuldb.com/submit/780839", "name": "Submit #780839 | Xiaopi Web Application Firewall V1.0.0 Bypass", "tags": ["third-party-advisory"]}, {"url": "https://github.com/ltranquility/vuln_submit/issues/1", "tags": ["exploit", "issue-tracking"]}]}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "A vulnerability was identified in Xiaopi Panel 1.0.0. This vulnerability affects unknown code of the file /demo.php of the component WAF Firewall. The manipulation of the argument param leads to cross site scripting. Remote exploitation of the attack is possible. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way."}], "id": "CVE-2026-5332", "lastModified": "2026-04-02T14:16:36.163", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "NONE", "baseScore": 4.0, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:S/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 8.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "cna@vuldb.com", "type": "Secondary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 3.5, "baseSeverity": "LOW", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.1, "impactScore": 1.4, "source": "cna@vuldb.com", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 5.1, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "PROOF_OF_CONCEPT", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "PASSIVE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "LOW", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "cna@vuldb.com", "type": "Secondary"}]}, "published": "2026-04-02T14:16:36.163", "references": [{"source": "cna@vuldb.com", "url": "https://github.com/ltranquility/vuln_submit/issues/1"}, {"source": "cna@vuldb.com", "url": "https://vuldb.com/submit/780839"}, {"source": "cna@vuldb.com", "url": "https://vuldb.com/vuln/354666"}, {"source": "cna@vuldb.com", "url": "https://vuldb.com/vuln/354666/cti"}], "sourceIdentifier": "cna@vuldb.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}, {"lang": "en", "value": "CWE-94"}], "source": "cna@vuldb.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "1.0.0"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "Panel", "source": "cna", "vendor": "Xiaopi"}, "product": "panel", "vendor": "xiaopi"}], "analysis": {"en": {"generated_at": "2026-04-02T15:06:59.658480+00:00", "value": {"mitigation_remediation": ["Apply a vendor patch if one becomes available for Xiaopi Panel 1.0.0", "If a patch is not available, disable or remove access to the /demo.php file from the web server", "Configure the web application firewall to reject requests that contain suspicious script payloads in the param argument", "Verify that the application performs proper input validation or encoding of user provided data", "Monitor web application logs for repeated attempts to inject malicious scripts and block offending IP addresses"], "summary": {"action": "Patch ASAP", "impact": "Cross\u2011Site Scripting"}, "threat_synthesis": {"affected_systems": "The affected product is Xiaopi Panel, specifically version 1.0.0. This version is exposed by the /demo.php file in the WAF Firewall component. No other versions or products are listed in the available data.", "description_and_impact": "A flaw in Xiaopi Panel version 1.0.0 occurs in the file /demo.php, where an attacker can manipulate the param argument to inject malicious script code. The injected code runs in the context of any user who views the affected page, enabling classic cross\u2011site scripting risks such as session hijacking, credential theft, or defacement of the web interface. The vendor has not provided a fix and the vulnerability is publicly documented, indicating that the attack is possible over the network.", "risk_and_exploitability": "The CVSS score for the vulnerability is 5.1, representing moderate risk. The EPSS score is not available and the vulnerability is not listed in the CISA KEV catalog, but a public exploit exists, making remote exploitation feasible. Attackers likely leverage the web interface by crafting a URL containing the malicious param value; the vulnerability does not require authentication and is accessible to anyone who can access the demo.php endpoint. Due to the lack of vendor remediation, the risk remains until a patch or sufficient mitigation is deployed."}}}}, "created": "2026-04-02T20:12:35.067070+00:00", "updated": "2026-04-02T20:21:15.166247+00:00", "vendors": ["xiaopi", "xiaopi$PRODUCT$panel"]}