Cyber Resilience

CVE-2026-23880

High

Published: 19 January 2026

Published
19 January 2026
Modified
15 April 2026
KEV Added
Patch
CVSS Score v3.1 7.3 CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N
EPSS Score 0.0009 25.0th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-23880 is a high-severity Improper Input Validation (CWE-20) vulnerability. Its CVSS base score is 7.3 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Browser Session Hijacking (T1185); ranked at the 25.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).

Deeper analysis

CVE-2026-23880 is a stored cross-site scripting (XSS) vulnerability affecting OnboardLite, a membership lifecycle platform developed for student organizations at the University of Central Florida. Versions prior to the commit 1d32081a66f21bcf41df1ecb672490b13f6e429f are vulnerable, specifically in the dashboard functionality for migrating a user's Discord account. The issue stems from improper input validation and output encoding, mapped to CWE-20 (Improper Input Validation), CWE-79 (Improper Neutralization of Input During Web Page Generation), and CWE-116 (Improper Encoding or Escaping of Output). It has a CVSS v3.1 base score of 7.3 (AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N), indicating high confidentiality and integrity impacts.

An authenticated low-privilege user, such as a regular member, can exploit this by injecting a malicious payload into their Discord account details. When an administrator accesses the dashboard to migrate that user's Discord account, the payload renders and executes in the admin's browser context. This allows the attacker to steal the admin's session cookies, perform unauthorized actions on behalf of the admin, or redirect the admin to phishing sites, potentially compromising the entire platform's administrative functions.

The GitHub security advisory (GHSA-93w8-83cg-h89g) and the patching commit (1d32081a66f21bcf41df1ecb672490b13f6e429f) detail the fix, which involves proper sanitization of user-supplied Discord data before rendering in the dashboard. Administrators should update to the commit 1d32081a66f21bcf41df1ecb672490b13f6e429f or later to mitigate the vulnerability, and as an interim measure, avoid migrating untrusted user Discord accounts or implement content security policies to restrict script execution.

EU & UK References

Vulnerability details

OnboardLite is a comprehensive membership lifecycle platform built for student organizations at the University of Central Florida. Versions of the software prior to commit 1d32081a66f21bcf41df1ecb672490b13f6e429f have a stored cross-site scripting vulnerability that can be rendered to an admin when they…

more

attempt to migrate a user's discord account in the dashboard. Commit 1d32081a66f21bcf41df1ecb672490b13f6e429f patches the issue.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1185 Browser Session Hijacking Collection
Adversaries may take advantage of security vulnerabilities and inherent functionality in browser software to change content, modify user-behaviors, and intercept information as part of various browser session hijacking techniques.
T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Stored XSS directly enables browser session hijacking (T1185) via cookie theft in admin context and exploitation of the public-facing web app (T1190).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2025-66918Shared CWE-20, CWE-79
CVE-2026-1843Shared CWE-79
CVE-2026-42678Shared CWE-79
CVE-2023-49186Shared CWE-79
CVE-2025-22586Shared CWE-79
CVE-2026-1316Shared CWE-79
CVE-2025-23451Shared CWE-79
CVE-2026-34564Shared CWE-79
CVE-2025-23744Shared CWE-79
CVE-2025-23923Shared CWE-79

Affected Assets

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires validation of user-supplied Discord data to block the malicious payload injection that triggers the stored XSS.

prevent

Requires filtering/encoding of output in the admin migration dashboard so that injected scripts are neutralized before rendering.

preventdetect

Can detect or block execution of the malicious script payload when the admin dashboard renders the untrusted Discord input.

References