CVE-2026-23880
Published: 19 January 2026
Summary
CVE-2026-23880 is a high-severity Improper Input Validation (CWE-20) vulnerability. Its CVSS base score is 7.3 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Browser Session Hijacking (T1185); ranked at the 25.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).
Deeper analysis
CVE-2026-23880 is a stored cross-site scripting (XSS) vulnerability affecting OnboardLite, a membership lifecycle platform developed for student organizations at the University of Central Florida. Versions prior to the commit 1d32081a66f21bcf41df1ecb672490b13f6e429f are vulnerable, specifically in the dashboard functionality for migrating a user's Discord account. The issue stems from improper input validation and output encoding, mapped to CWE-20 (Improper Input Validation), CWE-79 (Improper Neutralization of Input During Web Page Generation), and CWE-116 (Improper Encoding or Escaping of Output). It has a CVSS v3.1 base score of 7.3 (AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N), indicating high confidentiality and integrity impacts.
An authenticated low-privilege user, such as a regular member, can exploit this by injecting a malicious payload into their Discord account details. When an administrator accesses the dashboard to migrate that user's Discord account, the payload renders and executes in the admin's browser context. This allows the attacker to steal the admin's session cookies, perform unauthorized actions on behalf of the admin, or redirect the admin to phishing sites, potentially compromising the entire platform's administrative functions.
The GitHub security advisory (GHSA-93w8-83cg-h89g) and the patching commit (1d32081a66f21bcf41df1ecb672490b13f6e429f) detail the fix, which involves proper sanitization of user-supplied Discord data before rendering in the dashboard. Administrators should update to the commit 1d32081a66f21bcf41df1ecb672490b13f6e429f or later to mitigate the vulnerability, and as an interim measure, avoid migrating untrusted user Discord accounts or implement content security policies to restrict script execution.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-3283
Vulnerability details
OnboardLite is a comprehensive membership lifecycle platform built for student organizations at the University of Central Florida. Versions of the software prior to commit 1d32081a66f21bcf41df1ecb672490b13f6e429f have a stored cross-site scripting vulnerability that can be rendered to an admin when they…
more
attempt to migrate a user's discord account in the dashboard. Commit 1d32081a66f21bcf41df1ecb672490b13f6e429f patches the issue.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Stored XSS directly enables browser session hijacking (T1185) via cookie theft in admin context and exploitation of the public-facing web app (T1190).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires validation of user-supplied Discord data to block the malicious payload injection that triggers the stored XSS.
Requires filtering/encoding of output in the admin migration dashboard so that injected scripts are neutralized before rendering.
Can detect or block execution of the malicious script payload when the admin dashboard renders the untrusted Discord input.