What the vulnerability does
01Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Svetoslav Marinov Orbisius Simple Notice orbisius-simple-notice allows Stored XSS.This issue affects Orbisius Simple Notice: from n/a through <= 1.1.3.
Explanation of Vulnerability in Simple Terms
02Summary
Orbisius Simple Notice versions 1.1.3 and earlier contain a cross-site scripting (XSS) vulnerability. An authenticated administrator can inject malicious scripts that execute in other users' browsers when they view the notice. The vulnerability requires user interaction—the victim must visit a page displaying the notice. Impact is limited to low-severity data exposure and site defacement.
What an attacker can do
03Attacker Capabilities
Inject JavaScript that runs in other users' browsers when they view a notice.
Potential impact on your site
04Site Impact
Malicious admins can steal session tokens, deface notices, or redirect users to phishing sites.
Conditions required to exploit
05Prerequisites
Administrator account access; victim must view the affected notice.
Key dates
06Disclosure timeline
January 24, 2025
CVE published
April 28, 2026
Record updated