Stored Cross-Site Scripting in Teampass Password Manager
CVE-2026-3107

9.3CRITICAL

Key Information:

Vendor: Teampass
Status: Teampass
Vendor: CVE Published:; 31 March 2026

What is CVE-2026-3107?

Teampass versions before 3.1.5.16 are susceptible to a stored Cross-Site Scripting (XSS) vulnerability. This flaw arises in the password import functionality, where user-input data is inadequately sanitized and encoded. As a result, malicious JavaScript payloads can be injected and persistently stored in the database. When users access the imported passwords, these payloads are executed in their browsers, leading to a stored XSS scenario. This exploitation permits attackers to run arbitrary JavaScript code across multiple user sessions, risking session hijacking, credential theft, and application integrity compromises.

Affected Version(s)

Teampass 0 <= 3.1.5.16

Teampass 3.1.5.24

References

https://www.incibe.es/en/incibe-cert/notices/aviso/multip...

patch

CVSS V4

Score:

9.3

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Mar 31, 2026
Vulnerability Reserved
Feb 24, 2026

Credit

Julen Garrido Estévez (B3xal)

CVE-2026-3107 Data

JSON