{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-4794", "assignerOrgId": "eb41dac7-0af8-4f84-9f6d-0272772514f4", "state": "PUBLISHED", "assignerShortName": "PaperCut", "dateReserved": "2026-03-25T00:52:13.130Z", "datePublished": "2026-03-31T00:39:56.135Z", "dateUpdated": "2026-03-31T14:03:59.735Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "eb41dac7-0af8-4f84-9f6d-0272772514f4", "shortName": "PaperCut", "dateUpdated": "2026-03-31T00:39:56.135Z"}, "title": "Multiple cross-site scripting (XSS) vulnerabilities in PaperCut NG/MF", "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-79", "description": "CWE-79 Improper neutralization of input during web page generation ('cross-site scripting')", "type": "CWE"}]}], "impacts": [{"capecId": "CAPEC-591", "descriptions": [{"lang": "en", "value": "CAPEC-591 Reflected XSS"}]}, {"capecId": "CAPEC-592", "descriptions": [{"lang": "en", "value": "CAPEC-592 Stored XSS"}]}, {"capecId": "CAPEC-63", "descriptions": [{"lang": "en", "value": "CAPEC-63 Cross-Site Scripting (XSS)"}]}], "affected": [{"vendor": "PaperCut", "product": "PaperCut NG/MF", "platforms": ["Windows", "MacOS", "Linux"], "versions": [{"status": "affected", "version": "0", "lessThan": "25.0.10", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "Multiple cross-site scripting (XSS) vulnerabilities in PaperCut NG/MF before 25.0.10\u00a0allow authenticated administrator users to inject arbitrary web script or HTML code via different UI fields. This could be used to compromise other admininistrator's sessions or perform unauthorized actions via the administrator's authenticated context (e.g. requires an active login session).", "supportingMedia": [{"type": "text/html", "base64": false, "value": "Multiple cross-site scripting (XSS) vulnerabilities in PaperCut NG/MF before 25.0.10 allow authenticated administrator users to inject arbitrary web script or HTML code via different UI fields. This could be used to compromise other admininistrator's sessions or perform unauthorized actions via the administrator's authenticated context (e.g. requires an active login session)."}]}], "references": [{"url": "https://www.papercut.com/kb/Main/papercut-ng-mf-security-bulletin-march-2026/"}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "LOW", "userInteraction": "PASSIVE", "vulnConfidentialityImpact": "NONE", "subConfidentialityImpact": "LOW", "vulnIntegrityImpact": "NONE", "subIntegrityImpact": "LOW", "vulnAvailabilityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "version": "4.0", "baseSeverity": "LOW", "baseScore": 2.1, "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N"}}], "source": {"discovery": "EXTERNAL"}, "x_generator": {"engine": "Vulnogram 1.0.1"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-31T14:03:53.639112Z", "id": "CVE-2026-4794", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-31T14:03:59.735Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-4794", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-31T14:03:53.639112Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-31T14:03:56.164Z"}}], "cna": {"title": "Multiple cross-site scripting (XSS) vulnerabilities in PaperCut NG/MF", "source": {"discovery": "EXTERNAL"}, "impacts": [{"capecId": "CAPEC-591", "descriptions": [{"lang": "en", "value": "CAPEC-591 Reflected XSS"}]}, {"capecId": "CAPEC-592", "descriptions": [{"lang": "en", "value": "CAPEC-592 Stored XSS"}]}, {"capecId": "CAPEC-63", "descriptions": [{"lang": "en", "value": "CAPEC-63 Cross-Site Scripting (XSS)"}]}], "metrics": [{"format": "CVSS", "cvssV4_0": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 2.1, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "LOW", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "PASSIVE", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "LOW", "subIntegrityImpact": "LOW", "vulnIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "LOW", "vulnConfidentialityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "PaperCut", "product": "PaperCut NG/MF", "versions": [{"status": "affected", "version": "0", "lessThan": "25.0.10", "versionType": "semver"}], "platforms": ["Windows", "MacOS", "Linux"], "defaultStatus": "unaffected"}], "references": [{"url": "https://www.papercut.com/kb/Main/papercut-ng-mf-security-bulletin-march-2026/"}], "x_generator": {"engine": "Vulnogram 1.0.1"}, "descriptions": [{"lang": "en", "value": "Multiple cross-site scripting (XSS) vulnerabilities in PaperCut NG/MF before 25.0.10\u00a0allow authenticated administrator users to inject arbitrary web script or HTML code via different UI fields. This could be used to compromise other admininistrator's sessions or perform unauthorized actions via the administrator's authenticated context (e.g. requires an active login session).", "supportingMedia": [{"type": "text/html", "value": "Multiple cross-site scripting (XSS) vulnerabilities in PaperCut NG/MF before 25.0.10 allow authenticated administrator users to inject arbitrary web script or HTML code via different UI fields. This could be used to compromise other admininistrator's sessions or perform unauthorized actions via the administrator's authenticated context (e.g. requires an active login session).", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79 Improper neutralization of input during web page generation ('cross-site scripting')"}]}], "providerMetadata": {"orgId": "eb41dac7-0af8-4f84-9f6d-0272772514f4", "shortName": "PaperCut", "dateUpdated": "2026-03-31T00:39:56.135Z"}}}, "cveMetadata": {"cveId": "CVE-2026-4794", "state": "PUBLISHED", "dateUpdated": "2026-03-31T14:03:59.735Z", "dateReserved": "2026-03-25T00:52:13.130Z", "assignerOrgId": "eb41dac7-0af8-4f84-9f6d-0272772514f4", "datePublished": "2026-03-31T00:39:56.135Z", "assignerShortName": "PaperCut"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:papercut:papercut_mf:*:*:*:*:*:*:*:*", "matchCriteriaId": "CBDB4B03-5DFF-4983-94F4-27097E8DE93D", "versionEndExcluding": "25.0.10", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:papercut:papercut_ng:*:*:*:*:*:*:*:*", "matchCriteriaId": "C3318324-1141-474E-8AC9-75304DE81432", "versionEndExcluding": "25.0.10", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Multiple cross-site scripting (XSS) vulnerabilities in PaperCut NG/MF before 25.0.10\u00a0allow authenticated administrator users to inject arbitrary web script or HTML code via different UI fields. This could be used to compromise other admininistrator's sessions or perform unauthorized actions via the administrator's authenticated context (e.g. requires an active login session)."}, {"lang": "es", "value": "M\u00faltiples vulnerabilidades de cross-site scripting (XSS) en PaperCut NG/MF anteriores a la versi\u00f3n 25.0.10 permiten a usuarios administradores autenticados inyectar scripts web o c\u00f3digo HTML arbitrarios a trav\u00e9s de diferentes campos de la interfaz de usuario. Esto podr\u00eda usarse para comprometer las sesiones de otros administradores o realizar acciones no autorizadas a trav\u00e9s del contexto autenticado del administrador (por ejemplo, requiere una sesi\u00f3n de inicio de sesi\u00f3n activa)."}], "id": "CVE-2026-4794", "lastModified": "2026-04-03T18:15:05.340", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.8, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 1.7, "impactScore": 2.7, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 2.1, "baseSeverity": "LOW", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "LOW", "subIntegrityImpact": "LOW", "userInteraction": "PASSIVE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "eb41dac7-0af8-4f84-9f6d-0272772514f4", "type": "Secondary"}]}, "published": "2026-03-31T01:16:36.743", "references": [{"source": "eb41dac7-0af8-4f84-9f6d-0272772514f4", "tags": ["Vendor Advisory"], "url": "https://www.papercut.com/kb/Main/papercut-ng-mf-security-bulletin-march-2026/"}], "sourceIdentifier": "eb41dac7-0af8-4f84-9f6d-0272772514f4", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "eb41dac7-0af8-4f84-9f6d-0272772514f4", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": ["windows", "macos", "linux"], "status": "affected", "versions": {"scheme": "semver", "value": "[0,25.0.10)"}}], "enrichment": {"confidence": 93.0, "confidence_source": "matching", "scores": [{"score": 93.0, "source": "matching"}]}, "original": {"product": "PaperCut NG/MF", "source": "cna", "vendor": "PaperCut"}, "product": "papercut_mf", "vendor": "papercut"}], "analysis": {"en": {"generated_at": "2026-03-31T05:55:39.381516+00:00", "value": {"mitigation_remediation": ["Apply PaperCut NG/MF version 25.0.10 or later.", "Verify that all installations have been updated and no older instances remain in use.", "Force logout of all administrator sessions after the update to clear any persisted scripts.", "If the patch cannot be applied immediately, restrict administrative UI inputs to strip script tags until the update is installed."], "summary": {"action": "Apply patch", "impact": "Potential admin session hijacking or unauthorized admin actions via XSS"}, "threat_synthesis": {"affected_systems": "All installations of PaperCut NG/MF before release 25.0.10 are affected. The vulnerabilities were identified in the PaperCut NG/MF product line. No other products or versions were listed in the CNA data.", "description_and_impact": "These multiple cross\u2011site scripting vulnerabilities exist in PaperCut NG/MF versions prior to 25.0.10. They allow an authenticated administrator to inject arbitrary JavaScript or HTML through various user interface fields. The injected code would execute in the context of any administrator visiting the affected pages, potentially compromising other admins\u2019 sessions or carrying out unauthorized privileged operations.", "risk_and_exploitability": "The CVSS score of 2.1 indicates a low overall impact, but the requirement for administrator authentication limits the attack surface to users who have already gained legitimate access. An attacker who can reach an authenticated admin session could use the XSS payload to hijack other admins\u2019 sessions or execute privileged commands. EPSS data is not available, and the vulnerability has not been listed in the CISA KEV catalog, suggesting that it is not currently being actively exploited. Consequently, while the risk is moderate, it remains prudent to apply the patch."}}}}, "created": "2026-03-31T19:56:46.124704+00:00", "updated": "2026-04-03T09:10:49.191222+00:00", "vendors": ["papercut", "papercut$PRODUCT$papercut_mf"]}