CVE-2022-26332

MEDIUM

Cipi 3.1.15 - Stored Cross-Site Scripting via Server Name Field

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2022-26332. PoCs published by Ghuliev.

AI-analyzed exploit summary This exploit demonstrates a stored XSS vulnerability in Cipi Control Panel 3.1.15, where the 'name' parameter in the server addition feature lacks proper input sanitization. The PoC shows how an authenticated attacker can inject malicious JavaScript code, which executes when the server list is viewed.

Description

Cipi 3.1.15 allows Add Server stored XSS via the /api/servers name field.

Exploits (1)

exploitdb WORKING POC

by Ghuliev · textwebappslinux

https://www.exploit-db.com/exploits/50788

View Code ZIP pw:eip

This exploit demonstrates a stored XSS vulnerability in Cipi Control Panel 3.1.15, where the 'name' parameter in the server addition feature lacks proper input sanitization. The PoC shows how an authenticated attacker can inject malicious JavaScript code, which executes when the server list is viewed.

Classification

Working Poc 90%

Attack Type

Xss

Complexity

Trivial

Reliability

Reliable

Target: Cipi Control Panel 3.1.15

Auth required

Prerequisites: Authenticated access to the Cipi Control Panel · Ability to send HTTP POST requests to the /api/servers endpoint

MITRE ATT&CK

T1189 - Drive-by Compromise

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (2)

Core 2

Core References

Exploit, Third Party Advisory, VDB Entry x_refsource_misc

https://www.exploit-db.com/exploits/50788

Release Notes, Third Party Advisory x_refsource_misc

https://github.com/andreapollastri/cipi/releases

Scores

CVSS v3 5.4

EPSS 0.0019

EPSS Percentile 41.5%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Details

CWE

CWE-79

Status published

Products (2)

andreapollastri/cipi 0Packagist

cipi/cipi 3.1.15

Published Mar 01, 2022

Tracked Since Feb 18, 2026