SQL Injection Vulnerability in Xibo Digital Signage Platform Affecting Multiple Versions
CVE-2026-31952

7.6HIGH

Key Information:

Vendor

Xibosignage

Status
Xibo-cms
Vendor
CVE Published:
24 April 2026

What is CVE-2026-31952?

The Xibo digital signage platform has reported an SQL injection vulnerability affecting its content management system (CMS) in versions 1.7 through 4.4.0. The vulnerability resides in the API routes used for filtering DataSets, enabling an authenticated user with the appropriate privileges (Access to DataSet Feature or Access to Layout Feature) to craft malicious API filter parameters. This exploit allows them to access and manipulate arbitrary data stored within the Xibo database. Users are advised to upgrade to version 4.4.1 or later to eliminate this security risk, as patches are also available for earlier unsupported versions 3.3, 2.3, and 1.8.

Affected Version(s)

xibo-cms >= 1.7, < 4.4.1

References

https://github.com/xibosignage/xibo-cms/security/advisori...
x_refsource_CONFIRM
https://github.com/dasgarner/xibo-cms/commit/b8d25fe6cb02...
x_refsource_MISC
https://github.com/xibosignage/xibo-cms/commit/87e0a26b0c...
x_refsource_MISC

CVSS V3.1

Score:
7.6
Severity:
HIGH
Confidentiality:
High
Integrity:
Low
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.