CVE-2026-23819 PUBLISHED

Error in SSID Processing allows Stored XSS in Web Management Interface

Assigner: hpe
Reserved: 16.01.2026 Published: 12.05.2026 Updated: 12.05.2026

A vulnerability in the web-based management interface of Access Points running AOS-10 and AOS-8 Instant could allow an unauthenticated remote attacker to execute arbitrary JavaScript code in a victim's browser within the same local network. Successful exploitation could allow an attacker to compromise user data and potentially manipulate device configuration settings.

Metrics

CVSS 3.1

CVSS Vector: CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
CVSS Score: 8.8

Attack Vector	Adjacent Network	Scope	Changed
Attack Complexity	Low	Confidentiality Impact	High
Privileges Required	None	Integrity Impact	High
User Interaction	Required	Availability Impact	High

CVSS 3.1

Product Status

Vendor	Hewlett Packard Enterprise (HPE)
Product	ArubaOS (AOS)
Versions	Default: affected Version 10.8.0.0 is affected affected from 10.7.0.0 to 10.7.2.2 (incl.) affected from 10.4.0.0 to 10.4.1.10 (incl.) affected from 8.13.0.0 to 8.13.1.1 (incl.) affected from 8.12.0.0 to 8.12.0.6 (incl.) affected from 8.10.0.0 to 8.10.0.21 (incl.)

Credits

Michael Messner reporter
Benedikt Kuehne reporter
Caio Adler Goncalves Farias reporter
Siemens Energy sponsor

References

https://support.hpe.com/hpesc/public/docDisplay?docId=hpesbnw05049en_us&docLocale=en_US