VYPR
← All advisories
Low severityNVD Advisory· Published Apr 24, 2026· Updated Apr 27, 2026

CVE-2026-4313

CVE-2026-4313

Description

AdaptiveGRC is vulnerable to Stored XSS via text type fields across the forms. Authenticated attacker can replace the value of the text field in the HTTP POST request. Improper parameter validation by the server results in arbitrary JavaScript execution in the victim's browser. Critically, this may allow the attacker to obtain the administrator authentication token and perform arbitrary actions with administrative privileges, which could lead to further compromise.

This issue occurs in versions released before December 2025.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

AdaptiveGRC before December 2025 is vulnerable to stored XSS through text fields, allowing an authenticated attacker to steal the admin's token.

Vulnerability

AdaptiveGRC is susceptible to stored cross-site scripting (XSS) due to improper neutralization of user-supplied input in text fields within forms. An authenticated attacker can replace the value of a text field in an HTTP POST request, and the server fails to validate the parameter correctly, resulting in arbitrary JavaScript execution in the victim's browser [2].

Exploitation

The attack requires an authenticated user to craft a malicious payload and submit it via a text field. The injected script is stored on the server and later executed when a victim, such as an administrator, views the affected form. No additional privileges beyond a valid user account are needed to inject the script [1], [2].

Impact

Successful exploitation may allow the attacker to obtain the administrator's authentication token. With this token, the attacker can perform arbitrary actions with administrative privileges, potentially leading to further compromise of the AdaptiveGRC instance and its associated data [2].

Mitigation

The vulnerability affects versions released before December 2025. Users should upgrade to a patched version provided by the vendor (C&F). No workaround is mentioned in the available references [1], [2].

References
  1. Wszystkie procesy GRC w jednym narzędziu | AdaptiveGRC
  2. Podatność w oprogramowaniu AdaptiveGRC

AI Insight generated on May 18, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

1

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

2

News mentions

0

No linked articles in our index yet.