CVE-2026-21730

Vulnerability

All versions of Verint Verba prior to 10.0.6 contain a Stored Cross-Site Scripting (XSS) vulnerability (CWE-79) in the login logging mechanism [1]. When an unauthenticated remote attacker submits a login attempt with an arbitrary username and password combination, the supplied username value is recorded verbatim in the application logs without any sanitization [1]. The vulnerable code path is reachable via any standard login interface exposed by the product.

Exploitation

An attacker does not require authentication or any prior access to the network beyond the ability to reach the Verba login page [1]. The attacker crafts an HTTP request containing a JavaScript payload in the username field (e.g., ``). After the server logs the failed attempt, an administrator must access the web application's log viewer for the payload to execute [1]. No user interaction from the attacker is needed beyond the initial request; the trigger is the administrator opening the logs.

Impact

Successful exploitation results in arbitrary JavaScript execution in the context of the administrator’s browser session. This can lead to information disclosure (e.g., session cookies, CSRF tokens), further client-side attacks, or actions performed under the admin's privileges [1]. The scope is the administrator’s web session with the Verba application.

Mitigation

The vulnerability is fixed in Verba version 10.0.6 [1]. The vendor was notified but did not respond; however, the fix was included in that release [1]. All deployments running versions earlier than 10.0.6 should be upgraded immediately. No workaround is described in the available references.