CVE-2026-31013

MEDIUM

Dovestones Softwares ADPhonebook <4.0.1.1 - XSS

Title source: llm

Description

Dovestones Softwares ADPhonebook <4.0.1.1 has a reflected cross-site scripting (XSS) vulnerability in the search parameter of the /ADPhonebook?Department=HR endpoint. User-supplied input is reflected in the HTTP response without proper input validation or output encoding, allowing execution of arbitrary JavaScript in the victim's browser.

References (2)

Core 2

Core References

https://dovestones.com/download/

https://gist.github.com/pentestrox/a35cd5df1a5a84eabada897fc4ffcc79

Scores

CVSS v3 6.1

EPSS 0.0019

EPSS Percentile 9.2%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-79

Status published

Products (1)

dovestones/ad_phonebook < 4.0.1.1

Published Apr 21, 2026

Tracked Since Apr 21, 2026