CVE-2026-4816 PUBLISHED

Reflected Cross Site Scripting (XSS) vulnerability in Support Board

Assigner: INCIBE
Reserved: 25.03.2026 Published: 25.03.2026 Updated: 25.03.2026

A Reflected Cross Site Scripting (XSS) vulnerability has been found in Support Board v3.7.7. This vulnerability allows an attacker to execute JavaScript code in the victim's browser by sending the victim a malicious URL using the 'search' parameter in '/supportboard/include/articles.php'. This vulnerability can be exploited to steal sensitive user data, such as session cookies, or to perform actions on behalf of the user.

Metrics

CVSS 4.0

CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N
CVSS Score: 4.8

Exploitability Metrics		Vulnerable System Impact Metrics		Subsequent System Impact Metrics
Attack Vector	Network	Confidentiality	None	Confidentiality	Low
Attack Complexity	Low	Integrity	None	Integrity	Low
Attack Requirements	None	Availability	None	Availability	None
Privileges Required	Low
User Interaction	Active

CVSS 4.0

Product Status

Vendor	Schiocco
Product	Support Board
Versions	Default: unaffected affected from 0 to 3.7.7 (incl.) Version 3.7.8 is unaffected

Solutions

The vulnerability has been fixed by Schiocco team in version 3.7.8, released on February 2025.

References

https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-support-board-schiocco

Problem Types

CWE-79 Improper neutralization of input during web page generation ('cross-site scripting') CWE