CVE-2026-2276 MEDIUM

CVE-2026-2276: Reflected Cross-Site Scripting in the Wix web application

Vendor Wix
Product web application
Weakness CWE-79 · XSS
Published February 12, 2026
Last update February 13, 2026
View on NVD All CVEs

CVSS base score

5.3/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

What the vulnerability does

01Description

Reflected Cross-Site Scripting (XSS) vulnerability in the Wix web application, where the endpoint ' https://manage.wix.com/account/account-settings ', responsible for uploading SVG images, does not properly sanitize the content. An authenticated attacker could upload an SVG file containing embedded JavaScript code, which is stored and subsequently executed when other users view the image. Exploiting this vulnerability allows arbitrary code to be executed in the context of the victim's browser, which could lead to the disclosure of sensitive information or the abuse of the affected user's session.

Key dates

02Disclosure timeline

February 12, 2026 CVE published
February 13, 2026 Record updated

Related vulnerabilities

04Related CVE

CVE-2026-3722 Auto Image Attributes From Filename With Bulk Updater (Add Alt Text, Image Title For Image SEO) <= 4.9 - Authenticated (Author+) Stored Cross-Site Scripting via Image Attribute CVE-2026-1391 Vzaar Media Management <= 1.2 - Reflected Cross-Site Scripting via $_SERVER['PHP_SELF'] CVE-2025-67555 WordPress UseStrict's Calendly Embedder plugin <= 1.1.7.2 - Cross Site Scripting (XSS) vulnerability CVE-2022-50585 Nagios XI < 5.8.9 Core Config Manager (CCM) XSS via Audit Log Page Search Input CVE-2024-3559 Custom Field Suite <= 2.6.7 - Authenticated (Contributor+) Stored Cross-Site Scripting via cfs[post_content]