{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-6179", "assignerOrgId": "5ac195ad-69e7-48e7-9c1e-bfc958c39761", "state": "PUBLISHED", "assignerShortName": "FSOFT", "dateReserved": "2026-04-13T02:18:11.562Z", "datePublished": "2026-04-13T02:27:53.206Z", "dateUpdated": "2026-04-13T18:06:17.801Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "5ac195ad-69e7-48e7-9c1e-bfc958c39761", "shortName": "FSOFT", "dateUpdated": "2026-04-13T02:27:53.206Z"}, "title": "Stored Cross Site Scripting in NightWolf Penetration Testing Platform", "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-79", "description": "CWE-79 Improper neutralization of input during web page generation ('cross-site scripting')", "type": "CWE"}]}], "impacts": [{"capecId": "CAPEC-592", "descriptions": [{"lang": "en", "value": "CAPEC-592 Stored XSS"}]}], "affected": [{"vendor": "FPT Software", "product": "NightWolf Penetration Testing Platform", "versions": [{"status": "affected", "version": "2.1.5"}, {"status": "unaffected", "version": "2.1.6"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "Stored Cross Site Scripting in NightWolf Penetration Testing Platform allows attack trigger and run malicious script in user's browser", "supportingMedia": [{"type": "text/html", "base64": false, "value": "Stored Cross Site Scripting in NightWolf Penetration Testing Platform allows attack trigger and run malicious script in user's browser"}]}], "references": [{"url": "https://bug.report.night-wolf.io/changelogs"}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "NONE", "subConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "LOW", "subIntegrityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "version": "4.0", "baseSeverity": "MEDIUM", "baseScore": 6.3, "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:H/SI:N/SA:N"}}], "timeline": [{"time": "2026-04-11T10:00:00.000Z", "lang": "en", "value": "The reporter submits the vulnerability to security_report@fpt.com."}, {"time": "2026-04-12T11:00:00.000Z", "lang": "en", "value": "The security team verifies the issue and provides a fixing solution."}, {"time": "2026-04-13T01:00:00.000Z", "lang": "en", "value": "The security team releases the fix, retests the issue, and closes the vulnerability."}, {"time": "2026-04-13T02:00:00.000Z", "lang": "en", "value": "Assign a CVE to the reporter."}], "credits": [{"lang": "en", "value": "Phan Cong Anh Tuan (phanconganhtuan2003@gmail.com)", "type": "finder"}], "source": {"discovery": "UNKNOWN"}, "x_generator": {"engine": "Vulnogram 1.0.1"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-6179", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-13T17:36:38.518612Z"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-13T18:06:17.801Z"}}]}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Stored Cross Site Scripting in NightWolf Penetration Testing Platform allows attack trigger and run malicious script in user's browser"}], "id": "CVE-2026-6179", "lastModified": "2026-04-13T15:01:43.663", "metrics": {"cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 6.3, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "HIGH", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:H/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "LOW", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "5ac195ad-69e7-48e7-9c1e-bfc958c39761", "type": "Secondary"}]}, "published": "2026-04-13T03:16:03.297", "references": [{"source": "5ac195ad-69e7-48e7-9c1e-bfc958c39761", "url": "https://bug.report.night-wolf.io/changelogs"}], "sourceIdentifier": "5ac195ad-69e7-48e7-9c1e-bfc958c39761", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "5ac195ad-69e7-48e7-9c1e-bfc958c39761", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "2.1.5"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "2.1.6"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "NightWolf Penetration Testing Platform", "source": "cna", "vendor": "FPT Software"}, "product": "nightwolf_penetration_testing_platform", "vendor": "fpt_software"}], "analysis": {"en": {"generated_at": "2026-04-13T03:20:20.620322+00:00", "value": {"mitigation_remediation": ["Check the vendor\u2019s advisory page for a patch that addresses the stored XSS issue and apply it immediately.", "If a patch is not yet available, enforce strict input validation and output encoding for all fields that accept user data before rendering it in the browser.", "Restrict or revoke permissions for users who can create or modify data that appears on public or shared interfaces, thereby limiting the attack surface.", "Configure web application firewalls to detect and block common XSS payloads and monitor logs for signs of unexpected script execution or unauthorized data changes."], "summary": {"action": "Patch Immediately", "impact": "Stored Cross Site Scripting"}, "threat_synthesis": {"affected_systems": "The vulnerability affects the NightWolf Penetration Testing Platform developed by FPT Software. The advisory does not list specific versions, so any deployment of the platform that accepts user input and subsequently displays that data to users is potentially impacted.", "description_and_impact": "The NightWolf Penetration Testing Platform is vulnerable to stored cross\u2011site scripting. This weakness allows an attacker to insert malicious script into data fields stored within the platform. When a legitimate user views the affected content, the script executes in the user's browser, enabling the attacker to steal session cookies, hijack user sessions, deface the interface, or perform other client\u2011side actions. The vulnerability results from unsanitized input leading to improper encoding of output.", "risk_and_exploitability": "The CVSS score of 6.3 indicates moderate severity, reflecting a medium base score that balances the likelihood of exploitation with the potential impact on confidentiality, integrity, and availability. Because an EPSS score is unavailable, the precise exploitation probability remains uncertain. The vulnerability is not cataloged in CISA\u2019s KEV list, suggesting no known active exploitation. The attack vector typically involves an attacker submitting malicious payload into a stored field; the attacker must possess sufficient privileges to create or edit that data, and subsequent users who view the data will become victims."}}}}, "created": "2026-04-13T12:37:51.302632+00:00", "updated": "2026-04-13T12:53:39.089055+00:00", "vendors": ["fpt_software", "fpt_software$PRODUCT$nightwolf_penetration_testing_platform"]}