{"dataType": "CVE_RECORD", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2026-30139", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "dateUpdated": "2026-04-22T15:42:44.872Z", "dateReserved": "2026-03-04T00:00:00.000Z", "datePublished": "2026-04-22T00:00:00.000Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2026-04-22T15:03:06.978Z"}, "descriptions": [{"lang": "en", "value": "A reflected cross-site scripting (XSS) vulnerability in the AdvancedSearch functionality of Silverpeas Core before version 6.4.6 allows attackers to execute arbitrary JavaScript in the context of a user's browser via crafted input."}], "affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"version": "n/a", "status": "affected"}]}], "references": [{"url": "https://github.com/Silverpeas/Silverpeas-Core/pull/1421"}, {"url": "https://github.com/bodd1593/CVEs-huyle/tree/main/CVE-2026-30139"}], "problemTypes": [{"descriptions": [{"type": "text", "lang": "en", "description": "n/a"}]}]}, "adp": [{"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-79", "lang": "en", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "references": [{"url": "https://github.com/bodd1593/CVEs-huyle/tree/main/CVE-2026-30139", "tags": ["exploit"]}], "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 6.1, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-04-22T15:41:18.308868Z", "id": "CVE-2026-30139", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-22T15:42:44.872Z"}}]}, "dataVersion": "5.2"}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 6.1, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-30139", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-22T15:41:18.308868Z"}}}], "references": [{"url": "https://github.com/bodd1593/CVEs-huyle/tree/main/CVE-2026-30139", "tags": ["exploit"]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-22T15:40:16.407Z"}}], "cna": {"affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "references": [{"url": "https://github.com/Silverpeas/Silverpeas-Core/pull/1421"}, {"url": "https://github.com/bodd1593/CVEs-huyle/tree/main/CVE-2026-30139"}], "descriptions": [{"lang": "en", "value": "A reflected cross-site scripting (XSS) vulnerability in the AdvancedSearch functionality of Silverpeas Core before version 6.4.6 allows attackers to execute arbitrary JavaScript in the context of a user's browser via crafted input."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "text", "description": "n/a"}]}], "providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2026-04-22T15:03:06.978Z"}}}, "cveMetadata": {"cveId": "CVE-2026-30139", "state": "PUBLISHED", "dateUpdated": "2026-04-22T15:42:44.872Z", "dateReserved": "2026-03-04T00:00:00.000Z", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "datePublished": "2026-04-22T00:00:00.000Z", "assignerShortName": "mitre"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "A reflected cross-site scripting (XSS) vulnerability in the AdvancedSearch functionality of Silverpeas Core before version 6.4.6 allows attackers to execute arbitrary JavaScript in the context of a user's browser via crafted input."}], "id": "CVE-2026-30139", "lastModified": "2026-04-22T21:18:45.917", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.7, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-04-22T16:16:53.367", "references": [{"source": "cve@mitre.org", "url": "https://github.com/Silverpeas/Silverpeas-Core/pull/1421"}, {"source": "cve@mitre.org", "url": "https://github.com/bodd1593/CVEs-huyle/tree/main/CVE-2026-30139"}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "url": "https://github.com/bodd1593/CVEs-huyle/tree/main/CVE-2026-30139"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,6.4.6)"}}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 89.0, "source": "matching"}]}, "original": {"product": "n/a", "source": "cna", "vendor": "n/a"}, "product": "silverpeas", "vendor": "silverpeas"}], "analysis": {"en": {"generated_at": "2026-04-27T19:23:39.693914+00:00", "value": {"mitigation_remediation": ["Upgrade Silverpeas Core to version 6.4.6 or later, where the XSS flaw has been fixed.", "Ensure all input to AdvancedSearch is properly sanitized or encoded before being reflected back to the browser to prevent script injection.", "Implement a Content Security Policy that restricts execution of inline scripts and limits allowed script origins to reduce damage if the vulnerability is exploited."], "summary": {"action": "Patch", "impact": "Cross\u2011Site Scripting (arbitrary JavaScript execution in user browsers)"}, "threat_synthesis": {"affected_systems": "Silverpeas Core installations running any version earlier than 6.4.6 are affected. No other vendors or product lines are explicitly listed as impacted.", "description_and_impact": "A reflected cross\u2011site scripting flaw in the AdvancedSearch feature of Silverpeas Core allows an attacker to embed malicious JavaScript into responses that are returned to the user \u2013 the code executes in the victim\u2019s browser context. The primary impact is the ability for an attacker to run arbitrary scripts within the context of any user who views the reflected payload.", "risk_and_exploitability": "The vulnerability is a reflected XSS that requires an attacker to supply crafted input, typically via a link or form, that the application reflects back in the browser. No EPSS score is available, and the issue is not listed in the CISA KEV catalog. The CVSS score of 6.1 indicates a moderate risk level when exploited. The likely attack vector involves a user following a maliciously constructed URL containing the reflected script."}}}}, "created": "2026-04-27T19:30:12.043114+00:00", "title": "Reflected XSS in Silverpeas AdvancedSearch That Enables Arbitrary JavaScript Execution", "updated": "2026-04-27T20:21:11.330094+00:00", "vendors": ["silverpeas", "silverpeas$PRODUCT$silverpeas"]}