CVE-2026-31952
Published: 24 April 2026
Summary
CVE-2026-31952 is a high-severity SQL Injection (CWE-89) vulnerability in Xibosignage Xibo. Its CVSS base score is 7.6 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 15.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-10 (Information Input Validation).
Deeper analysis
CVE-2026-31952 is an SQL injection vulnerability in the API routes responsible for filtering DataSets within the Xibo content management system (CMS), part of the open-source Xibo digital signage platform that includes a web CMS and Windows display player software. The flaw affects Xibo CMS versions 1.7 through 4.4.0 and is classified under CWE-89 (SQL Injection) and CWE-184 (Incomplete List of Disallowed Inputs).
An authenticated user with either the "Access to DataSet Feature" privilege or the "Access to the Layout Feature" privilege can exploit this vulnerability over the network with low complexity and no user interaction required. By injecting specially crafted values into the API filter parameter, the attacker can obtain sensitive data from the Xibo database and modify arbitrary data, potentially leading to high confidentiality impact, low integrity and availability impacts, as reflected in the CVSS v3.1 base score of 7.6 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L).
Advisories recommend upgrading to Xibo CMS version 4.4.1, which remediates the issue. Customers hosting their CMS with Xibo Signage on versions 4.4, 4.3, 3.3, 2.3, or 1.8 have already been patched. Patches are also available for out-of-support versions 3.3, 2.3, and 1.8, with relevant fixes detailed in GitHub commits and the security advisory GHSA-rq92-f6fv-3629.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-25357
Vulnerability details
Xibo is an open source digital signage platform with a web content management system and Windows display player software. Versions 1.7 through 4.4.0 have an SQL injection vulnerability in the API routes inside the CMS responsible for Filtering DataSets. This…
more
allows an authenticated user to to obtain and modify arbitrary data from the Xibo database by injecting specially crafted values in to the API filter parameter. Exploitation of the vulnerability is possible on behalf of an authorized user who has either of the `Access to DataSet Feature` privilege or the `Access to the Layout Feature` privilege. Users should upgrade to version 4.4.1 which fixes this issue. Customers who host their CMS with Xibo Signage have been patched if they are using 4.4, 4.3, 3.3, 2.3 or 1.8. Upgrading to a fixed version is necessary to remediate. Patches are available for earlier versions of Xibo CMS that are out of support, namely 3.3, 2.3, and 1.8.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
SQL injection in the authenticated API of the public-facing Xibo CMS web application directly enables T1190 (Exploit Public-Facing Application) for data access and modification.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Requires validation of API filter parameters to block SQL injection payloads, directly preventing exploitation of this input-based vulnerability.
Mandates timely patching of flaws like this SQL injection vulnerability, including upgrade to Xibo CMS 4.4.1 or application of available patches.
Enables vulnerability scanning to identify SQL injection flaws in API endpoints like the DataSet filtering routes prior to exploitation.