MCO is vulnerable to Stored Cross‑Site Scripting (XSS) via the application logo upload functionality. An attacker with the ability to change the application logo can upload a crafted SVG file containing malicious JavaScript code that is executed when the logo is rendered or opened.
Because vendor contact attempts were unsuccessful, the vulnerability has only been confirmed in version 25.3.3.1 but may also affect other versions.
References
| Link | Resource |
|---|---|
| https://cert.pl/en/posts/2026/07/CVE-2026-53902 | Third Party Advisory |
| https://mco.mycomplianceoffice.com/ | Product |
Configurations
History
06 Jul 2026, 14:07
| Type | Values Removed | Values Added |
|---|---|---|
| References | () https://cert.pl/en/posts/2026/07/CVE-2026-53902 - Third Party Advisory | |
| References | () https://mco.mycomplianceoffice.com/ - Product | |
| First Time |
Mycomplianceoffice mycomplianceoffice
Mycomplianceoffice |
|
| CVSS |
v2 : v3 : |
v2 : unknown
v3 : 5.4 |
| CPE | cpe:2.3:a:mycomplianceoffice:mycomplianceoffice:25.3.3.1:*:*:*:*:*:*:* |
01 Jul 2026, 13:17
| Type | Values Removed | Values Added |
|---|---|---|
| New CVE |
Information
Published : 2026-07-01 13:17
Updated : 2026-07-06 14:07
NVD link : CVE-2026-53907
Mitre link : CVE-2026-53907
CVE.ORG link : CVE-2026-53907
JSON object : View
Products Affected
mycomplianceoffice
- mycomplianceoffice
CWE
CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
