CVE-2026-41031

Vulnerability

A Stored Cross-Site Scripting (XSS) vulnerability exists in the Media import functionality of Vinna Process Monitor. Versions 3.1.0 through 3.1.4 and 4.0.0 through 4.0.6 are affected. An authenticated user can inject malicious JavaScript code into the application via the media import feature [1].

Exploitation

An attacker must first be authenticated to the application and have low privileges. They can then upload a malicious HTML file containing JavaScript to the Media import feature. The vulnerability is triggered when an administrator opens a link to this file, causing the embedded JavaScript to execute without the administrator's knowledge [1].

Impact

Successful exploitation allows an attacker to steal administrative access tokens and session credentials, specifically the administrator's Bearer token from browser storage. This grants the attacker full application access with administrative privileges [1].

Mitigation

Vinna Process Monitor version 4.0.7 and later, and version 3.1.5 and later, are fixed. Users are recommended to upgrade to version 4.0.7 or later. For users on the 3.1.x branch who cannot upgrade immediately, workarounds include restricting network access to Process Monitor to only the corporate network and educating users not to click links to Process Monitor from untrusted sources until version 3.1.8 is released in September 2026 [1].