CVE-2026-23880

HIGH

OnboardLite <commit 1d32081a66f21bcf41df1ecb672490b13f6e429f - XSS

Title source: llm

Description

OnboardLite is a comprehensive membership lifecycle platform built for student organizations at the University of Central Florida. Versions of the software prior to commit 1d32081a66f21bcf41df1ecb672490b13f6e429f have a stored cross-site scripting vulnerability that can be rendered to an admin when they attempt to migrate a user's discord account in the dashboard. Commit 1d32081a66f21bcf41df1ecb672490b13f6e429f patches the issue.

References (2)

[Vendor Advisory] https://github.com/HackUCF/OnboardLite/security/advisories/GHSA-93w8-83cg-h89g

[Patch] https://github.com/HackUCF/OnboardLite/commit/1d32081a66f21bcf41df1ecb672490b13f6e429f

Scores

CVSS v3 7.3

EPSS 0.0006

EPSS Percentile 20.0%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact total

Details

CWE

CWE-116 CWE-20 CWE-79

Status published

Published Jan 19, 2026

Tracked Since Feb 18, 2026