CVE-2026-42141

HIGH

Xibo: Authenticated Server-Side Request Forgery (SSRF) in Library Upload via URL functionality

Title source: cna
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2026-42141. PoCs published by H4zaz.

AI-analyzed exploit summary This repository provides a detailed technical writeup and proof of concept for CVE-2026-42141, an SSRF vulnerability in Xibo CMS. It includes specific endpoint details, HTTP request format, and mitigation steps.

Description

Xibo is an open source digital signage platform with a web content management system and Windows display player software. Prior to 4.4.1, an authenticated Server-Side Request Forgery (SSRF) vulnerability in the Xibo CMS allows users with Library upload permissions to make arbitrary HTTP requests from the CMS server to internal or external network resources. This can be exploited to scan internal infrastructure, access local cloud metadata endpoints (e.g., AWS IMDS), interact with internal services that lack authentication, or exfiltrate data. This vulnerability is fixed in 4.4.1.

Exploits (1)

github WRITEUP
by H4zaz · poc
https://github.com/H4zaz/CVE-2026-42141-xibo-ssrf

This repository provides a detailed technical writeup and proof of concept for CVE-2026-42141, an SSRF vulnerability in Xibo CMS. It includes specific endpoint details, HTTP request format, and mitigation steps.

Classification
Writeup 90%
Attack Type
Ssrf
Complexity
Trivial
Reliability
Reliable
Target: Xibo CMS
Auth required
Prerequisites: Authenticated user access to Xibo CMS
devstral-2 · analyzed May 17, 2026 Full analysis →

References (1)

Core 1
Core References

Scores

CVSS v3 7.7
EPSS 0.0037
EPSS Percentile 28.5%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N

CISA SSVC

Vulnrichment
Exploitation none
Automatable no
Technical Impact partial

Details

CWE
CWE-918
Status published
Products (1)
xibosignage/xibo-cms < 4.4.1
Published May 12, 2026
Tracked Since May 12, 2026