{"dataType": "CVE_RECORD", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2026-29969", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "dateUpdated": "2026-03-26T19:05:41.349Z", "dateReserved": "2026-03-04T00:00:00.000Z", "datePublished": "2026-03-26T00:00:00.000Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2026-03-26T19:05:41.349Z"}, "descriptions": [{"lang": "en", "value": "A cross-site scripting (XSS) vulnerability in the wff_cols_pref.css.aspx endpoint of staffwiki v7.0.1.19219 allows attackers to execute arbitrary Javascript in the context of the user's browser via a crafted HTTP request."}], "affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"version": "n/a", "status": "affected"}]}], "references": [{"url": "https://github.com/cmoncrook/Security-Advisories/blob/main/cve-2026-29969"}], "problemTypes": [{"descriptions": [{"type": "text", "lang": "en", "description": "n/a"}]}]}}, "dataVersion": "5.2"}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "A cross-site scripting (XSS) vulnerability in the wff_cols_pref.css.aspx endpoint of staffwiki v7.0.1.19219 allows attackers to execute arbitrary Javascript in the context of the user's browser via a crafted HTTP request."}], "id": "CVE-2026-29969", "lastModified": "2026-03-26T19:16:59.600", "metrics": {}, "published": "2026-03-26T19:16:59.600", "references": [{"source": "cve@mitre.org", "url": "https://github.com/cmoncrook/Security-Advisories/blob/main/cve-2026-29969"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Received"}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "7.0.1.19219"}}], "enrichment": {"confidence": 75.0, "confidence_source": "inferred", "scores": [{"score": 75.0, "source": "inferred"}]}, "original": {"product": "n/a", "source": "cna", "vendor": "n/a"}, "product": "staffwiki", "vendor": "cmoncrook"}], "analysis": {"en": {"generated_at": "2026-03-26T20:26:07.489508+00:00", "value": {"mitigation_remediation": ["Upgrade StaffWiki to a version newer than 7.0.1.19219 if a patch is available", "Restrict or disable access to the wff_cols_pref.css.aspx endpoint for untrusted users", "Implement a strict Content Security Policy to block execution of injected scripts"], "summary": {"action": "Apply Patch", "impact": "Cross\u2011Site Scripting allowing arbitrary JavaScript execution in the browser context"}, "threat_synthesis": {"affected_systems": "The flaw affects StaffWiki version 7.0.1.19219, specifically the wff_cols_pref.css.aspx endpoint. Precise vendor information is not listed, but the direct product is StaffWiki.", "description_and_impact": "A cross\u2011site scripting vulnerability exists in the wff_cols_pref.css.aspx endpoint of StaffWiki v7.0.1.19219. An attacker can send a crafted HTTP request that causes the server to return a response containing malicious JavaScript, which will be executed with the privileges of the user who visits the page. This can lead to theft of session cookies, defacement, or further compromise of the user\u2019s environment. The weakness aligns with improper neutralization of input during web page generation.", "risk_and_exploitability": "The vulnerability is exploitable over the network via an HTTP request. Although a CVSS score and EPSS are not provided, the ability to run arbitrary code in the user\u2019s browser represents a high severity risk. The vulnerability is not listed in the CISA KEV catalog, but it remains locally exploitable by any user who can reach the affected endpoint."}}}}, "created": "2026-03-27T08:36:25.838319+00:00", "title": "Cross\u2011Site Scripting via wff_cols_pref.css.aspx in StaffWiki\u00a0v7.0.1.19219", "updated": "2026-03-27T09:29:06.497163+00:00", "vendors": ["cmoncrook", "cmoncrook$PRODUCT$staffwiki"], "weaknesses": ["CWE-79"]}