CVE-2026-3877 HIGH

CVE-2026-3877: Reflected Cross-Site Scripting in Dashboard Search

Vendor Vertigis
Product VertiGIS FM
Weakness CWE-79 · XSS
Published April 1, 2026
Last update April 1, 2026
View on NVD All CVEs

CVSS base score

7.3/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P

What the vulnerability does

01Description

A reflected cross-site scripting (XSS) vulnerability in the dashboard search functionality of the VertiGIS FM solution allows attackers to craft a malicious URL, that if visited by an authenticated victim, will execute arbitrary JavaScript in the victim's context. Such a URL could be delivered through various means, for instance, by sending a link or by tricking victims to visit a page crafted by the attacker.

Key dates

02Disclosure timeline

April 1, 2026 CVE published
April 1, 2026 Record updated

Related vulnerabilities

04Related CVE

CVE-2024-45073 IBM WebSphere Application Server cross-site scripting CVE-2024-26125 Adobe Experience Manager | Cross-site Scripting (Stored XSS) (CWE-79) CVE-2022-1164 Wyzi < 2.4.3 - Reflected Cross-Site Scripting (XSS) CVE-2024-34575 WordPress DethemeKit For Elementor plugin <= 2.1.2 - Cross Site Scripting (XSS) vulnerability CVE-2024-5260 Sina Extension for Elementor <= 3.5.5 - Authenticated (Contributor+) Stored Cross-Site Scripting via read_more_text Parameter