Home

Description

The XML‑RPC API addUser method has a validation bypass introduced in the fix for CVE‑2025‑55129. As a result, API users could create usernames that enabled impersonation or stored XSS attacks. Proper validation has been added where it was missing.

PUBLISHED Reserved 2026-05-08 | Published 2026-06-23 | Updated 2026-06-23 | Assigner hackerone

Problem types

CWE-287 Improper Authentication - Generic

Product status

Default status
unaffected

Any version
affected

Credits

barcrange (3l4) reporter

References

hackerone.com/reports/3680090

cve.org (CVE-2026-44961)

nvd.nist.gov (CVE-2026-44961)

Download JSON