CVE-2026-23880
Published: 19 January 2026
Summary
CVE-2026-23880 is a high-severity Improper Input Validation (CWE-20) vulnerability. Its CVSS base score is 7.3 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Browser Session Hijacking (T1185); ranked at the 20.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
Threat & Defense at a Glance
Threat & Defense Details
Likely Mitigating ControlsAI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Directly implements checks on information inputs to reject invalid data before processing.
Output validation against expected content can reject or sanitize script content in generated web pages, reducing XSS exploitability.
Penetration testing submits XSS payloads to web applications, detecting cross-site scripting flaws for subsequent remediation.
Security testing and developer training directly verify and enforce proper input validation, reducing exploitability of injection and malformed-data weaknesses.
Security testing and evaluation at multiple SDLC stages directly detects missing or flawed input validation, with the required remediation process ensuring fixes are applied.
Spam protection mechanisms perform filtering and detection on inbound/outbound messages, directly compensating for missing or weak input validation of unsolicited content.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Stored XSS directly enables browser session hijacking (T1185) via cookie theft in admin context and exploitation of the public-facing web app (T1190).
NVD Description
OnboardLite is a comprehensive membership lifecycle platform built for student organizations at the University of Central Florida. Versions of the software prior to commit 1d32081a66f21bcf41df1ecb672490b13f6e429f have a stored cross-site scripting vulnerability that can be rendered to an admin when they…
more
attempt to migrate a user's discord account in the dashboard. Commit 1d32081a66f21bcf41df1ecb672490b13f6e429f patches the issue.
Deeper analysisAI
CVE-2026-23880 is a stored cross-site scripting (XSS) vulnerability affecting OnboardLite, a membership lifecycle platform developed for student organizations at the University of Central Florida. Versions prior to the commit 1d32081a66f21bcf41df1ecb672490b13f6e429f are vulnerable, specifically in the dashboard functionality for migrating a user's Discord account. The issue stems from improper input validation and output encoding, mapped to CWE-20 (Improper Input Validation), CWE-79 (Improper Neutralization of Input During Web Page Generation), and CWE-116 (Improper Encoding or Escaping of Output). It has a CVSS v3.1 base score of 7.3 (AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N), indicating high confidentiality and integrity impacts.
An authenticated low-privilege user, such as a regular member, can exploit this by injecting a malicious payload into their Discord account details. When an administrator accesses the dashboard to migrate that user's Discord account, the payload renders and executes in the admin's browser context. This allows the attacker to steal the admin's session cookies, perform unauthorized actions on behalf of the admin, or redirect the admin to phishing sites, potentially compromising the entire platform's administrative functions.
The GitHub security advisory (GHSA-93w8-83cg-h89g) and the patching commit (1d32081a66f21bcf41df1ecb672490b13f6e429f) detail the fix, which involves proper sanitization of user-supplied Discord data before rendering in the dashboard. Administrators should update to the commit 1d32081a66f21bcf41df1ecb672490b13f6e429f or later to mitigate the vulnerability, and as an interim measure, avoid migrating untrusted user Discord accounts or implement content security policies to restrict script execution.
Details
- CWE(s)