CVE-2026-31956 MEDIUM

CVE-2026-31956: Xibo CMS has Preview and SavedReport IDOR via disableUserCheck without controller-level authorization

Vendor Xibosignage
Product xibo-cms
Weakness CWE-639 · IDOR
Published April 24, 2026
Last update April 24, 2026

CVSS base score

4.3/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality Low
Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

What the vulnerability does

01Description

Xibo is an open source digital signage platform with a web content management system and Windows display player software. Prior to version 4.4.1, any authenticated user can manually construct a URL to preview campaigns/regions, and export saved reports belonging to other users. Exploitation of the vulnerability is possible on behalf of an authorized user who has any of the following privileges: Page which shows all Layouts that have been created for the purposes of Layout Management; page which shows all Campaigns that have been created for the purposes of Campaign Management; and page which shows all Reports that have been Saved. Users should upgrade to version 4.4.1 which fixes this issue. Upgrading to a fixed version is necessary to remediate.

Key dates

02Disclosure timeline

April 24, 2026 CVE published
April 24, 2026 Record updated