Stored XSS in AdaptiveGRC_CVE-2026-4313

2.4 / 10

LOW

CVSS:4.0/AV:A/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:L/SI:L/SA:N

Description

AdaptiveGRC is vulnerable to Stored XSS via text type fields across the forms. Authenticated attacker can replace the value of the text field in the HTTP POST request. Improper parameter validation by the server results in arbitrary JavaScript execution in the victim's browser.
Critically, this may allow the attacker to obtain the administrator authentication token and perform arbitrary actions with administrative privileges, which could lead to further compromise.

This issue occurs in versions released before December 2025.

Basic Information

ID CVE-2026-4313

Source CERT-PL

Published Apr 24, 2026 at 11:05

Modified Apr 24, 2026 at 12:01

Affected Product

Vendor C&F

Product AdaptiveGRC

Version 5.420.00

Affected Versions C&F AdaptiveGRC 5.420.00
C&F AdaptiveGRC 5.420.00
C&F AdaptiveGRC 5.420.00
C&F AdaptiveGRC 5.420.00
C&F AdaptiveGRC 5.420.00
C&F AdaptiveGRC 5.420.00
C&F AdaptiveGRC 5.420.00
C&F AdaptiveGRC 5.420.00
C&F AdaptiveGRC 5.420.00
C&F AdaptiveGRC 5.420.00
C&F AdaptiveGRC 5.420.00
C&F AdaptiveGRC 5.420.00
C&F AdaptiveGRC 5.420.00
C&F AdaptiveGRC 5.420.00
C&F AdaptiveGRC 5.420.00
C&F AdaptiveGRC 5.420.00

CWE Classification

CWE-79

References

{
    "lastseen": "",
    "description": "AdaptiveGRC is vulnerable to Stored XSS via text type fields across the forms. Authenticated attacker can replace the value of the text field in the HTTP POST request. Improper parameter validation by the server results in\u00a0arbitrary JavaScript execution in the victim's browser.\nCritically, this may\u00a0allow the attacker to obtain the administrator authentication token and\u00a0perform arbitrary actions with administrative privileges, which could lead to further compromise.\n\nThis issue occurs in versions released before December 2025.",
    "published": "2026-04-24T11:05:42.839Z",
    "modified": "2026-04-24T12:01:12.557Z",
    "type": "cve",
    "title": "Stored XSS in AdaptiveGRC",
    "source": "CERT-PL",
    "references": "https://cert.pl/posts/2026/04/CVE-2026-4313\nhttps://adaptivegrc.com/pl/wszystkie-procesy-grc-w-jednym-narzedziu/",
    "id": "CVE-2026-4313",
    "bulletinFamily": "",
    "cwe": [
        "CWE-79"
    ],
    "cvelist": null,
    "sourceData": "C&F AdaptiveGRC 5.420.00\nC&F AdaptiveGRC 5.420.00\nC&F AdaptiveGRC 5.420.00\nC&F AdaptiveGRC 5.420.00\nC&F AdaptiveGRC 5.420.00\nC&F AdaptiveGRC 5.420.00\nC&F AdaptiveGRC 5.420.00\nC&F AdaptiveGRC 5.420.00\nC&F AdaptiveGRC 5.420.00\nC&F AdaptiveGRC 5.420.00\nC&F AdaptiveGRC 5.420.00\nC&F AdaptiveGRC 5.420.00\nC&F AdaptiveGRC 5.420.00\nC&F AdaptiveGRC 5.420.00\nC&F AdaptiveGRC 5.420.00\nC&F AdaptiveGRC 5.420.00",
    "sourceHref": "",
    "cvss": {
        "score": 2.4,
        "severity": "LOW",
        "vector": "CVSS:4.0/AV:A/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:L/SI:L/SA:N",
        "version": "4.0"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "AdaptiveGRC",
    "version": "5.420.00",
    "vendor": "C&F",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}