Cyber Resilience

CVE-2026-31952

High

Published: 24 April 2026

Published
24 April 2026
Modified
27 April 2026
KEV Added
Patch
CVSS Score v3.1 7.6 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L
EPSS Score 0.0025 15.7th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-31952 is a high-severity SQL Injection (CWE-89) vulnerability in Xibosignage Xibo. Its CVSS base score is 7.6 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 15.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2026-31952 is an SQL injection vulnerability in the API routes responsible for filtering DataSets within the Xibo content management system (CMS), part of the open-source Xibo digital signage platform that includes a web CMS and Windows display player software. The flaw affects Xibo CMS versions 1.7 through 4.4.0 and is classified under CWE-89 (SQL Injection) and CWE-184 (Incomplete List of Disallowed Inputs).

An authenticated user with either the "Access to DataSet Feature" privilege or the "Access to the Layout Feature" privilege can exploit this vulnerability over the network with low complexity and no user interaction required. By injecting specially crafted values into the API filter parameter, the attacker can obtain sensitive data from the Xibo database and modify arbitrary data, potentially leading to high confidentiality impact, low integrity and availability impacts, as reflected in the CVSS v3.1 base score of 7.6 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L).

Advisories recommend upgrading to Xibo CMS version 4.4.1, which remediates the issue. Customers hosting their CMS with Xibo Signage on versions 4.4, 4.3, 3.3, 2.3, or 1.8 have already been patched. Patches are also available for out-of-support versions 3.3, 2.3, and 1.8, with relevant fixes detailed in GitHub commits and the security advisory GHSA-rq92-f6fv-3629.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Xibo is an open source digital signage platform with a web content management system and Windows display player software. Versions 1.7 through 4.4.0 have an SQL injection vulnerability in the API routes inside the CMS responsible for Filtering DataSets. This…

more

allows an authenticated user to to obtain and modify arbitrary data from the Xibo database by injecting specially crafted values in to the API filter parameter. Exploitation of the vulnerability is possible on behalf of an authorized user who has either of the `Access to DataSet Feature` privilege or the `Access to the Layout Feature` privilege. Users should upgrade to version 4.4.1 which fixes this issue. Customers who host their CMS with Xibo Signage have been patched if they are using 4.4, 4.3, 3.3, 2.3 or 1.8. Upgrading to a fixed version is necessary to remediate. Patches are available for earlier versions of Xibo CMS that are out of support, namely 3.3, 2.3, and 1.8.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

SQL injection in the authenticated API of the public-facing Xibo CMS web application directly enables T1190 (Exploit Public-Facing Application) for data access and modification.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-24956Shared CWE-89
CVE-2026-33615Shared CWE-89
CVE-2025-28939Shared CWE-89
CVE-2021-47872Shared CWE-89
CVE-2025-28873Shared CWE-89
CVE-2019-25636Shared CWE-89
CVE-2026-32611Shared CWE-89
CVE-2026-42755Shared CWE-89
CVE-2024-53544Shared CWE-89
CVE-2026-21410Shared CWE-89

Affected Assets

xibosignage
xibo
1.7.0 — 4.4.1

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Requires validation of API filter parameters to block SQL injection payloads, directly preventing exploitation of this input-based vulnerability.

prevent

Mandates timely patching of flaws like this SQL injection vulnerability, including upgrade to Xibo CMS 4.4.1 or application of available patches.

detect

Enables vulnerability scanning to identify SQL injection flaws in API endpoints like the DataSet filtering routes prior to exploitation.

References