Quest NetVault Backup addclient3 XSS Authentication Bypass (CVE-2026-9780) Disclosed by ZDI
A cross-site scripting flaw in the addclient3 component of Quest NetVault Backup (CVE-2026-9780) allows remote attackers to bypass authentication with a CVSS score of 8.8.
The Zero Day Initiative (ZDI) has disclosed a high-severity cross-site scripting (XSS) vulnerability in Quest NetVault Backup's addclient3 webpage, tracked as CVE-2026-9780 under ZDI-26-369. The flaw carries a CVSS score of 8.8 and allows remote attackers to bypass authentication on affected installations of the enterprise backup management software. Successful exploitation requires user interaction—the targeted user must visit a malicious page or open a malicious file—but the potential impact is severe: the vulnerability can be leveraged in conjunction with other flaws to achieve arbitrary code execution at the SYSTEM level.
The specific weakness resides in the addclient3 component, where the application fails to properly validate user-supplied input before including it in web page output. This omission allows an attacker to inject arbitrary client-side scripts, which then execute in the context of the victim's browsing session. Because the script runs under the authenticated user's privileges, the attacker can effectively impersonate that user and bypass authentication controls designed to protect the backup environment. While XSS alone typically yields limited access, the advisory notes that chaining this with other issues—such as a command injection or SQL injection vulnerability in related NetVault components—could lead to full system compromise.
Quest has released an update to address the vulnerability. Users can find details in the official release notes for NetVault Backup version 14.0.2 at the vendor's support portal. The advisory encourages all administrators to upgrade as soon as possible, given that backup infrastructure is often a high-value target for attackers seeking persistence or access to sensitive organizational data.
The disclosure timeline shows the vulnerability was reported to Quest on September 24, 2025, with the coordinated public release occurring on June 24, 2026—a roughly nine-month window between report and patch availability. The advisory credits a researcher identified by the hash 06fe5fd2bc53027c4a3b7e395af0b850e7b8a044 for discovering the flaw. This disclosure adds to a recent wave of ZDI advisories for Quest NetVault Backup, following separate SQL injection vulnerabilities (CVE-2026-7569, CVE-2026-7570, CVE-2026-9781 through CVE-2026-9787) that also target different components of the same product.
The cumulative volume of vulnerabilities in Quest NetVault Backup—spanning SQL injection, command injection, and now XSS—raises concerns about the product's overall security posture. Administrators should treat all June 2026 advisories as a batch requiring immediate attention. Upgrading to the latest supported version and restricting web access to management interfaces are prudent mitigations. Given that the exploit chain requires user interaction, organizations should also remind backup operators to avoid clicking untrusted links while logged into the backup console.