Reflected Cross-Site Scripting in the Wix web application_CVE-2026-2276

5.3 / 10

MEDIUM

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

Description

Reflected Cross-Site Scripting (XSS) vulnerability in the Wix web application, where the endpoint ' https://manage.wix.com/account/account-settings ', responsible for uploading SVG images, does not properly sanitize the content. An authenticated attacker could upload an SVG file containing embedded JavaScript code, which is stored and subsequently executed when other users view the image. Exploiting this vulnerability allows arbitrary code to be executed in the context of the victim's browser, which could lead to the disclosure of sensitive information or the abuse of the affected user's session.

Basic Information

ID CVE-2026-2276

Source INCIBE

Published Feb 12, 2026 at 10:26

Affected Product

Vendor https://www.lavanguardia.com/vida/20260212/11464294/webs-grupo-godo-sufren-ciberataque.html

Product web application

Version All versions

Affected Versions https://www.lavanguardia.com/vida/20260212/11464294/webs-grupo-godo-sufren-ciberataque.html web application All versions

CWE Classification

CWE-79

References

www.incibe.es /en/incibe-cert/notices/aviso/reflected-cross-site-scripting-wix-web-application

{
    "lastseen": "",
    "description": "Reflected Cross-Site Scripting (XSS) vulnerability in the Wix web application, where the endpoint ' https://manage.wix.com/account/account-settings ', responsible for uploading SVG images, does not properly sanitize the content. An authenticated attacker could upload an SVG file containing embedded JavaScript code, which is stored and subsequently executed when other users view the image. Exploiting this vulnerability allows arbitrary code to be executed in the context of the victim's browser, which could lead to the disclosure of sensitive information or the abuse of the affected user's session.",
    "published": "2026-02-12T10:26:04.359Z",
    "modified": "2026-02-12T10:26:04.359Z",
    "type": "cve",
    "title": "Reflected Cross-Site Scripting in the Wix web application",
    "source": "INCIBE",
    "references": "https://www.incibe.es/en/incibe-cert/notices/aviso/reflected-cross-site-scripting-wix-web-application",
    "id": "CVE-2026-2276",
    "bulletinFamily": "",
    "cwe": [
        "CWE-79"
    ],
    "cvelist": null,
    "sourceData": "https://www.lavanguardia.com/vida/20260212/11464294/webs-grupo-godo-sufren-ciberataque.html web application All versions",
    "sourceHref": "",
    "cvss": {
        "score": 5.3,
        "severity": "MEDIUM",
        "vector": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N",
        "version": "4.0"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "web application",
    "version": "All versions",
    "vendor": "https://www.lavanguardia.com/vida/20260212/11464294/webs-grupo-godo-sufren-ciberataque.html",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}