{"dataType": "CVE_RECORD", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2026-26460", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "dateUpdated": "2026-04-13T20:45:52.241Z", "dateReserved": "2026-02-16T00:00:00.000Z", "datePublished": "2026-04-13T00:00:00.000Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2026-04-13T20:45:52.241Z"}, "descriptions": [{"lang": "en", "value": "A HTML Injection vulnerability exists in the Dashboard module of Vtiger CRM 8.4.0. The application fails to properly neutralize user-supplied input in the tabid parameter of the DashBoardTab view (getTabContents action), allowing an attacker to inject arbitrary HTML content into the dashboard interface. The injected content is rendered in the victim's browser"}], "affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"version": "n/a", "status": "affected"}]}], "references": [{"url": "https://www.vtiger.com/open-source-crm/"}, {"url": "https://www.simonjuguna.com/cve-2026-26460-html-injection-vulnerability-in-vtiger-open-source-edition-v8-4-0/"}], "problemTypes": [{"descriptions": [{"type": "text", "lang": "en", "description": "n/a"}]}]}}, "dataVersion": "5.2"}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "A HTML Injection vulnerability exists in the Dashboard module of Vtiger CRM 8.4.0. The application fails to properly neutralize user-supplied input in the tabid parameter of the DashBoardTab view (getTabContents action), allowing an attacker to inject arbitrary HTML content into the dashboard interface. The injected content is rendered in the victim's browser"}], "id": "CVE-2026-26460", "lastModified": "2026-04-13T21:16:24.020", "metrics": {}, "published": "2026-04-13T21:16:24.020", "references": [{"source": "cve@mitre.org", "url": "https://www.simonjuguna.com/cve-2026-26460-html-injection-vulnerability-in-vtiger-open-source-edition-v8-4-0/"}, {"source": "cve@mitre.org", "url": "https://www.vtiger.com/open-source-crm/"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Received"}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "8.4.0"}}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "n/a", "source": "cna", "vendor": "n/a"}, "product": "crm", "vendor": "vtiger"}], "analysis": {"en": {"generated_at": "2026-04-13T22:26:46.261913+00:00", "value": {"mitigation_remediation": ["Apply the vendor\u2019s latest patch to Vtiger CRM or upgrade to a version that addresses the Dashboard module issue.", "If a patch is unavailable, limit access to the Dashboard module or the tabid parameter to users with strictly necessary privileges.", "Implement server\u2011side sanitization of the tabid parameter and ensure all output is properly escaped before rendering.", "Deploy a strict Content Security Policy to block execution of inline or unknown scripts.", "Monitor dashboard pages for unexpected HTML content and review logs for suspicious activity."], "summary": {"action": "Immediate Patch", "impact": "Cross\u2011Site Scripting"}, "threat_synthesis": {"affected_systems": "Vtiger CRM (open\u2011source edition) version 8.4.0. The vulnerability is located in the DashBoardTab view during the getTabContents action and only this version is confirmed to be affected. No other versions are listed in the available data.", "description_and_impact": "A failure to neutralize user\u2011supplied input in the tabid parameter of Vtiger CRM\u2019s Dashboard module allows an attacker to inject arbitrary HTML content that is rendered directly in the victim\u2019s browser. The injected code runs with the privileges of the user viewing the dashboard, enabling actions such as cookie theft, session hijacking, phishing, or defacement. The flaw is a classic cross\u2011site scripting vulnerability arising from improper output encoding.", "risk_and_exploitability": "The CVSS score is not provided, EPSS data is missing, and the vulnerability is not listed in CISA\u2019s KEV catalog, yet the feasibility of exploitation is high because it requires only manipulation of a query parameter within a web application. The impact on confidentiality, integrity, and availability is significant for authenticated users who can view the dashboard, making this a high\u2011severity vulnerability in the absence of further evidence."}}}}, "created": "2026-04-14T16:21:41.398771+00:00", "title": "HTML Injection in Vtiger CRM Dashboard Module", "updated": "2026-04-14T16:35:32.252695+00:00", "vendors": ["vtiger", "vtiger$PRODUCT$crm"], "weaknesses": ["CWE-79"]}