VYPR

Vendor CVEs

Xibosignage

All CVEs

25 total · sorted by risk
  • CVE-2024-29022HigApr 12, 2024
    risk 0.50cvss 8.8epss 0.01

    Xibo is an Open Source Digital Signage platform with a web content management system and Windows display player software. In affected versions some request headers are not correctly sanitised when stored in the session and display tables. These headers can be used to inject a…

  • CVE-2026-42558HigJun 10, 2026
    risk 0.42cvss 7.6epss 0.00

    Xibo is an open source digital signage platform with a web content management system and Windows display player software. Prior to 4.4.2, a vulnerability chain consisting of Stored XSS and Iframe Sandbox escape in the Xibo CMS allows users with DataSet permissions to use the…

  • CVE-2026-31952HigApr 24, 2026
    risk 0.42cvss 7.6epss 0.00

    Xibo is an open source digital signage platform with a web content management system and Windows display player software. Versions 1.7 through 4.4.0 have an SQL injection vulnerability in the API routes inside the CMS responsible for Filtering DataSets. This allows an…

  • CVE-2024-29023HigApr 12, 2024
    risk 0.40cvss 7.2epss 0.01

    Xibo is an Open Source Digital Signage platform with a web content management system and Windows display player software. Session tokens are exposed in the return of session search API call on the sessions page. Subsequently they can be exfiltrated and used to hijack a session.…

  • CVE-2026-31953MedApr 24, 2026
    risk 0.35cvss 6.4epss 0.00

    Xibo is an open source digital signage platform with a web content management system and Windows display player software. A stored Cross-Site Scripting (XSS) vulnerability in versions prior to 4.4.1 allows an authenticated user with notification creation permissions to inject…

  • CVE-2024-41944MedJul 30, 2024
    risk 0.35cvss 6.5epss 0.00

    Xibo is a content management system (CMS). An SQL injection vulnerability was discovered in the `report/data/proofofplayReport` API route inside the CMS. This allows an authenticated user to to obtain and modify arbitrary data from the Xibo database by injecting specially…

  • CVE-2025-41088MedOct 10, 2025
    risk 0.33cvss epss 0.00

    Stored Cross-Site Scripting (XSS) in Xibo Signage's Xibo CMS v4.1.2, due to a lack of proper validation of user input. To exploit the vulnerability, the attacker must create a template in the 'Templates' section, then add a text element in the 'Global Elements' section, and…

  • CVE-2025-41089MedOct 10, 2025
    risk 0.31cvss epss 0.00

    Reflected Cross-Site Scripting (XSS) in Xibo CMS v4.1.2 from Xibo Signage, due to a lack of proper validation of user input. To exploit the vulnerability, the attacker must create a template in the 'Templates' section, then add an element that has the 'Configuration Name' field,…

  • CVE-2026-31955MedApr 24, 2026
    risk 0.25cvss 4.9epss 0.00

    Xibo is an open source digital signage platform with a web content management system and Windows display player software. An authenticated Server-Side Request Forgery (SSRF) vulnerability in versions prior to 4.4.1 allows users with DataSet permissions to make arbitrary HTTP…

  • CVE-2026-31956MedApr 24, 2026
    risk 0.21cvss 4.3epss 0.00

    Xibo is an open source digital signage platform with a web content management system and Windows display player software. Prior to version 4.4.1, any authenticated user can manually construct a URL to preview campaigns/regions, and export saved reports belonging to other users.…

  • CVE-2023-33177May 30, 2023
    risk 0.04cvss epss 0.07

    Xibo is a content management system (CMS). A path traversal vulnerability exists in the Xibo CMS whereby a specially crafted zip file can be uploaded to the CMS via the layout import function by an authenticated user which would allow creation of files outside of the CMS library…

  • CVE-2013-5979Oct 2, 2013
    risk 0.04cvss epss 0.18

    Directory traversal vulnerability in Spring Signage Xibo 1.2.x before 1.2.3 and 1.4.x before 1.4.2 allows remote attackers to read arbitrary files via a .. (dot dot) in the p parameter to index.php.

  • CVE-2013-4889Jan 29, 2014
    risk 0.03cvss epss 0.01

    Multiple cross-site request forgery (CSRF) vulnerabilities in index.php in Digital Signage Xibo 1.4.2 allow remote attackers to hijack the authentication of administrators for requests that (1) add a new administrator via the AddUser action or (2) conduct cross-site scripting…

  • CVE-2013-4888Jan 29, 2014
    risk 0.03cvss epss 0.01

    Cross-site scripting (XSS) vulnerability in index.php in Digital Signage Xibo 1.4.2 allows remote attackers to inject arbitrary web script or HTML via the layout parameter in the layout page.

  • CVE-2025-62369Nov 4, 2025
    risk 0.00cvss epss 0.01

    Xibo is an open source digital signage platform with a web content management system (CMS). Versions 4.3.0 and below contain a Remote Code Execution vulnerability in the CMS Developer menu's Module Templating functionality, allowing authenticated users with "System -> Add/Edit…

  • CVE-2024-43413Sep 3, 2024
    risk 0.00cvss epss 0.00

    Xibo is an open source digital signage platform with a web content management system (CMS). Prior to version 4.1.0, a cross-site scripting vulnerability in Xibo CMS allows authorized users to execute JavaScript via the DataSet functionality. Users can design a DataSet with a…

  • CVE-2024-43412Sep 3, 2024
    risk 0.00cvss epss 0.00

    Xibo is an open source digital signage platform with a web content management system (CMS). Prior to version 4.1.0, a cross-site scripting vulnerability in Xibo CMS allows authorized users to execute arbitrary JavaScript via the file preview function. Users can upload…

  • CVE-2024-41804Jul 30, 2024
    risk 0.00cvss epss 0.00

    Xibo is a content management system (CMS). An SQL injection vulnerability was discovered in the API route inside the CMS responsible for Adding/Editing DataSet Column Formulas. This allows an authenticated user to to obtain and modify arbitrary data from the Xibo database by…

  • CVE-2024-41802Jul 30, 2024
    risk 0.00cvss epss 0.00

    Xibo is a content management system (CMS). An SQL injection vulnerability was discovered in the API routes inside the CMS responsible for Filtering DataSets. This allows an authenticated user to to obtain and modify arbitrary data from the Xibo database by injecting specially…

  • CVE-2024-41803Jul 30, 2024
    risk 0.00cvss epss 0.00

    Xibo is a content management system (CMS). An SQL injection vulnerability was discovered in the API routes inside the CMS responsible for Filtering DataSets. This allows an authenticated user to to obtain arbitrary data from the Xibo database by injecting specially crafted…

  • CVE-2023-33181May 30, 2023
    risk 0.00cvss epss 0.01

    Xibo is a content management system (CMS). Starting in version 3.0.0 and prior to version 3.3.5, some API routes will print a stack trace when called with missing or invalid parameters revealing sensitive information about the locations of paths that the server is using. Users…

  • CVE-2023-33180May 30, 2023
    risk 0.00cvss epss 0.01

    Xibo is a content management system (CMS). An SQL injection vulnerability was discovered starting in version 3.2.0 and prior to version 3.3.2 in the `/display/map` API route inside the CMS. This allows an authenticated user to exfiltrate data from the Xibo database by injecting…

  • CVE-2023-33179May 30, 2023
    risk 0.00cvss epss 0.01

    Xibo is a content management system (CMS). An SQL injection vulnerability was discovered starting in version 3.2.0 and prior to version 3.3.5 in the `nameFilter` function used throughout the CMS. This allows an authenticated user to exfiltrate data from the Xibo database by…

  • CVE-2023-33178May 30, 2023
    risk 0.00cvss epss 0.01

    Xibo is a content management system (CMS). An SQL injection vulnerability was discovered in the `/dataset/data/{id}` API route inside the CMS starting in version 1.4.0 and prior to versions 2.3.17 and 3.3.5. This allows an authenticated user to exfiltrate data from the Xibo…

  • CVE-2013-4887Jan 29, 2014
    risk 0.00cvss epss 0.01

    SQL injection vulnerability in index.php in Digital Signage Xibo 1.4.2 allows remote attackers to execute arbitrary SQL commands via the displayid parameter.