CVE-2026-2276

Reflected Cross-Site Scripting (XSS) vulnerability in the Wix web application, where the endpoint ' https://manage.wix.com/account/account-settings ', responsible for uploading SVG images, does not properly sanitize the content. An authenticated attacker could upload an SVG file containing embedded JavaScript code, which is stored and subsequently executed when other users view the image. Exploiting this vulnerability allows arbitrary code to be executed in the context of the victim's browser, which could lead to the disclosure of sensitive information or the abuse of the affected user's session.

CVSS

No CVSS.

References

Link	Resource
https://www.incibe.es/en/incibe-cert/notices/aviso/reflected-cross-site-scripting-wix-web-application

Configurations

No configuration.

History

15 Apr 2026, 00:35

Type	Values Removed	Values Added
Summary		(es) Vulnerabilidad de cross-site scripting (XSS) reflejada en la aplicación web de Wix, donde el endpoint ' https://manage.wix.com/account/account-settings ', responsable de la carga de imágenes SVG, no sanitiza correctamente el contenido. Un atacante autenticado podría cargar un archivo SVG que contiene código JavaScript incrustado, que se almacena y se ejecuta posteriormente cuando otros usuarios ven la imagen. La explotación de esta vulnerabilidad permite que se ejecute código arbitrario en el contexto del navegador de la víctima, lo que podría llevar a la divulgación de información sensible o al abuso de la sesión del usuario afectado.

12 Feb 2026, 11:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-02-12 11:15

Updated : 2026-04-15 00:35

NVD link : CVE-2026-2276

Mitre link : CVE-2026-2276

CVE.ORG link : CVE-2026-2276

JSON object : View

Products Affected

No product.

CWE

CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

{"id": "CVE-2026-2276", "cveTags": [], "metrics": {"cvssMetricV40": [{"type": "Secondary", "source": "cve-coordination@incibe.es", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 5.3, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "LOW", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "LOW", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "published": "2026-02-12T11:15:50.113", "references": [{"url": "https://www.incibe.es/en/incibe-cert/notices/aviso/reflected-cross-site-scripting-wix-web-application", "source": "cve-coordination@incibe.es"}], "vulnStatus": "Deferred", "weaknesses": [{"type": "Secondary", "source": "cve-coordination@incibe.es", "description": [{"lang": "en", "value": "CWE-79"}]}], "descriptions": [{"lang": "en", "value": "Reflected Cross-Site Scripting (XSS) vulnerability in the Wix web application, where the endpoint ' https://manage.wix.com/account/account-settings ', responsible for uploading SVG images, does not properly sanitize the content. An authenticated attacker could upload an SVG file containing embedded JavaScript code, which is stored and subsequently executed when other users view the image. Exploiting this vulnerability allows arbitrary code to be executed in the context of the victim's browser, which could lead to the disclosure of sensitive information or the abuse of the affected user's session."}, {"lang": "es", "value": "Vulnerabilidad de cross-site scripting (XSS) reflejada en la aplicaci\u00f3n web de Wix, donde el endpoint ' https://manage.wix.com/account/account-settings ', responsable de la carga de im\u00e1genes SVG, no sanitiza correctamente el contenido. Un atacante autenticado podr\u00eda cargar un archivo SVG que contiene c\u00f3digo JavaScript incrustado, que se almacena y se ejecuta posteriormente cuando otros usuarios ven la imagen. La explotaci\u00f3n de esta vulnerabilidad permite que se ejecute c\u00f3digo arbitrario en el contexto del navegador de la v\u00edctima, lo que podr\u00eda llevar a la divulgaci\u00f3n de informaci\u00f3n sensible o al abuso de la sesi\u00f3n del usuario afectado."}], "lastModified": "2026-04-15T00:35:42.020", "sourceIdentifier": "cve-coordination@incibe.es"}