CVE-2026-31153

Vulnerability

Overview CVE-2026-31153 is a stored cross-site scripting (XSS) vulnerability in Bynder v0.1.394, an enterprise digital asset management (DAM) platform. The flaw resides in the collection name input field, where user-supplied data is not properly sanitized before being stored and later rendered in the dashboard interface. An attacker can inject arbitrary HTML or JavaScript payloads that persist on the server and execute in the context of other users' browsers.

Exploitation

Details Exploitation requires an authenticated user with the ability to create or modify collections. As demonstrated in the proof-of-concept [2], the attacker logs into the application, navigates to the collections section, and creates a new collection with a name containing an XSS payload such as ">. When another user (or the attacker) views the dashboard and hovers the mouse over the malicious collection name, the injected script executes. No additional privileges or network position beyond standard user access are needed.

Impact

Successful exploitation allows an attacker to execute arbitrary web scripts or HTML in the victim's browser session. This can lead to session hijacking, credential theft, defacement, or redirection to malicious sites. The stored nature of the XSS means the payload affects all users who view the affected collection, increasing the potential reach of an attack.

Mitigation

Status As of the publication date (April 2026), no official patch has been announced by Bynder. Users of Bynder v0.1.394 are advised to apply input validation and output encoding for user-controlled fields, or restrict collection creation privileges to trusted users. The vendor may release a security update in future versions.