Authenticated Server-Side Request Forgery in Xibo Digital Signage Platform
CVE-2026-31955

4.9MEDIUM

Key Information:

Vendor: Xibosignage
Status: Xibo-cms
Vendor: CVE Published:; 24 April 2026

🔔 Create Xibosignage Vulnerability Alert

What is CVE-2026-31955?

An authenticated Server-Side Request Forgery (SSRF) vulnerability exists in Xibo, an open-source digital signage platform. Users with DataSet permissions can exploit this flaw to execute arbitrary HTTP requests from the CMS server, potentially accessing sensitive internal or external resources. This includes the ability to scan infrastructure, retrieve local cloud metadata, and interact with unprotected internal services. To mitigate this risk, users must upgrade to version 4.4.1, which addresses the issue. Alternatively, users should revoke DataSet permissions for any untrusted accounts.

Affected Version(s)

xibo-cms < 4.4.1

References

https://github.com/xibosignage/xibo-cms/security/advisori...

x_refsource_CONFIRM

https://github.com/xibosignage/xibo-cms/releases/tag/4.4.1

x_refsource_MISC

CVSS V3.1

Score:

4.9

Severity:

MEDIUM

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

High

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 24, 2026
Vulnerability Reserved
Mar 10, 2026

CVE-2026-31955 Data

JSON