CVE-2026-4794 | THREATINT

Description

Multiple cross-site scripting (XSS) vulnerabilities in PaperCut NG/MF before 25.0.10 allow authenticated administrator users to inject arbitrary web script or HTML code via different UI fields. This could be used to compromise other admininistrator's sessions or perform unauthorized actions via the administrator's authenticated context (e.g. requires an active login session).

PUBLISHED Reserved 2026-03-25 | Published 2026-03-31 | Updated 2026-03-31 | Assigner PaperCut

LOW: 2.1CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N

Problem types

CWE-79 Improper neutralization of input during web page generation ('cross-site scripting')

Product status

Default status

unaffected

Any version before 25.0.10

affected

References

www.papercut.com/...rcut-ng-mf-security-bulletin-march-2026/

cve.org (CVE-2026-4794)

nvd.nist.gov (CVE-2026-4794)

Download JSON