CVE-2026-12948 PUBLISHED

Stored Cross-Site Scripting (XSS)

Assigner: Digi
Reserved: 22.06.2026 Published: 07.07.2026 Updated: 07.07.2026

A stored cross-site scripting (XSS) vulnerability in the web management interface of the Digi PortServer TS, Digi One SP, Digi One SP IA, and Digi One IA allows a remote, authenticated administrator to inject script into certain system configuration fields. The script subsequently executes in the browser of a user who views the affected pages (CWE-79).

Metrics

CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N
CVSS Score: 4.8

Product Status

Vendor Digi International
Product Digi PortServer TS
Versions Default: unaffected
  • affected from 82000747_V1 to 82000747_AB (incl.)
Vendor Digi International
Product Digi One SP
Versions Default: unaffected
  • affected from 82000747_V1 to 82000747_AB (incl.)
Vendor Digi International
Product Digi One SP IA
Versions Default: unaffected
  • affected from 82000747_V1 to 82000747_AB (incl.)
Vendor Digi International
Product Digi One IA
Versions Default: unaffected
  • affected from 82000747_V1 to 82000747_AB (incl.)

References

Problem Types

  • CWE-79 Improper neutralization of input during web page generation ('cross-site scripting') CWE