Description

Stored Cross-Site Scripting (XSS) in Teampass versions prior to 3.1.5.16, affecting the password manager's password import functionality at the endpoint 'redacted/index.php?page=items'. The application fails to properly sanitize and encode user-input data during the import process, allowing malicious JavaScript payloads to be persistently stored in the database. When other users view the imported passwords, the payload is automatically executed in their browsers, resulting in a stored XSS condition at the endpoint 'redacted/index.php?page=items'. Exploiting this vulnerability allows an attacker to execute arbitrary JavaScript code in the context of multiple users and the administrator, which can lead to session hijacking, credential theft, privilege abuse, and compromise of application integrity.

INFO

Published Date :

2026-03-31T08:58:59.688Z

Last Modified :

2026-03-31T18:04:08.704Z

Source :

INCIBE
AFFECTED PRODUCTS

The following products are affected by CVE-2026-3107 vulnerability.

Vendors Products
Teampass
  • Teampass
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2026-3107.

URL Resource
https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-teampass cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Attack Requirements
Privileges Required
User Interaction
VS Confidentiality
VS Integrity
VS Availability
SS Confidentiality
SS Integrity
SS Availability
Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact