CVE-2026-4794 LOW

CVE-2026-4794: Multiple cross-site scripting (XSS) vulnerabilities in PaperCut NG/MF

Vendor Papercut
Product PaperCut NG/MF
Weakness CWE-79 · XSS
Published March 31, 2026
Last update March 31, 2026
View on NVD All CVEs

CVSS base score

2.1/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N

What the vulnerability does

01Description

Multiple cross-site scripting (XSS) vulnerabilities in PaperCut NG/MF before 25.0.10 allow authenticated administrator users to inject arbitrary web script or HTML code via different UI fields. This could be used to compromise other admininistrator's sessions or perform unauthorized actions via the administrator's authenticated context (e.g. requires an active login session).

Key dates

02Disclosure timeline

March 31, 2026 CVE published
March 31, 2026 Record updated

Related vulnerabilities

04Related CVE

CVE-2024-50452 WordPress Nexter Blocks plugin <= 3.3.3 - Cross Site Scripting (XSS) vulnerability CVE-2023-48502 Adobe Experience Manager | Cross-site Scripting (DOM-based XSS) (CWE-79) CVE-2023-37979 WordPress Ninja Forms Plugin <= 3.6.25 is vulnerable to Cross Site Scripting (XSS) CVE-2024-9354 Estatik Mortgage Calculator <= 2.0.11 - Reflected Cross-Site Scripting CVE-2023-28778 WordPress Pagination by BestWebSoft Plugin <= 1.2.2 is vulnerable to Cross Site Scripting (XSS)