{"dataType": "CVE_RECORD", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2026-29969", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "dateUpdated": "2026-03-30T14:56:27.205Z", "dateReserved": "2026-03-04T00:00:00.000Z", "datePublished": "2026-03-26T00:00:00.000Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2026-03-26T19:05:41.349Z"}, "descriptions": [{"lang": "en", "value": "A cross-site scripting (XSS) vulnerability in the wff_cols_pref.css.aspx endpoint of staffwiki v7.0.1.19219 allows attackers to execute arbitrary Javascript in the context of the user's browser via a crafted HTTP request."}], "affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"version": "n/a", "status": "affected"}]}], "references": [{"url": "https://github.com/cmoncrook/Security-Advisories/blob/main/cve-2026-29969"}], "problemTypes": [{"descriptions": [{"type": "text", "lang": "en", "description": "n/a"}]}]}, "adp": [{"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-79", "lang": "en", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 6.1, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-03-30T13:53:33.618281Z", "id": "CVE-2026-29969", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-30T14:56:27.205Z"}}]}, "dataVersion": "5.2"}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 6.1, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-29969", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-30T13:53:33.618281Z"}}}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-30T13:53:50.388Z"}}], "cna": {"affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "references": [{"url": "https://github.com/cmoncrook/Security-Advisories/blob/main/cve-2026-29969"}], "descriptions": [{"lang": "en", "value": "A cross-site scripting (XSS) vulnerability in the wff_cols_pref.css.aspx endpoint of staffwiki v7.0.1.19219 allows attackers to execute arbitrary Javascript in the context of the user's browser via a crafted HTTP request."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "text", "description": "n/a"}]}], "providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2026-03-26T19:05:41.349Z"}}}, "cveMetadata": {"cveId": "CVE-2026-29969", "state": "PUBLISHED", "dateUpdated": "2026-03-30T14:56:27.205Z", "dateReserved": "2026-03-04T00:00:00.000Z", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "datePublished": "2026-03-26T00:00:00.000Z", "assignerShortName": "mitre"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "A cross-site scripting (XSS) vulnerability in the wff_cols_pref.css.aspx endpoint of staffwiki v7.0.1.19219 allows attackers to execute arbitrary Javascript in the context of the user's browser via a crafted HTTP request."}, {"lang": "es", "value": "Una vulnerabilidad de cross-site scripting (XSS) en el endpoint wff_cols_pref.css.aspx de staffwiki v7.0.1.19219 permite a los atacantes ejecutar Javascript arbitrario en el contexto del navegador del usuario a trav\u00e9s de una solicitud HTTP manipulada."}], "id": "CVE-2026-29969", "lastModified": "2026-03-30T15:16:25.957", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.7, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-03-26T19:16:59.600", "references": [{"source": "cve@mitre.org", "url": "https://github.com/cmoncrook/Security-Advisories/blob/main/cve-2026-29969"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "7.0.1.19219"}}], "enrichment": {"confidence": 75.0, "confidence_source": "inferred", "scores": [{"score": 75.0, "source": "inferred"}]}, "original": {"product": "n/a", "source": "cna", "vendor": "n/a"}, "product": "staffwiki", "vendor": "cmoncrook"}], "analysis": {"en": {"generated_at": "2026-03-27T21:41:02.599553+00:00", "value": {"mitigation_remediation": ["Check for and apply an official patch or upgrade to a version of Staffwiki that fixes the XSS vulnerability.", "If a patch is not yet available, restrict access to the wff_cols_pref.css.aspx endpoint to trusted users or IP addresses.", "Implement web application firewall rules that block or sanitize malicious input targeting this endpoint.", "Enforce a strict Content Security Policy to limit the execution of inline scripts.", "Monitor web traffic for suspicious requests to the endpoint and investigate any anomalies."], "summary": {"action": "Immediate Patch", "impact": "Cross\u2011Site Scripting (XSS) that permits arbitrary JavaScript execution in the victim\u2019s browser"}, "threat_synthesis": {"affected_systems": "The affected system is distinctively identified as Staffwiki version 7.0.1.19219. No further vendor or product variations are listed, so only deployments of this exact build are vulnerable.", "description_and_impact": "The vulnerability is a cross\u2011site scripting flaw in the wff_cols_pref.css.aspx endpoint of Staffwiki version 7.0.1.19219. An attacker can construct a malicious HTTP request that injects and executes arbitrary JavaScript within the context of the person accessing the page. This allows the attacker to run code in the user\u2019s browser, potentially stealing session data or performing other client\u2011side actions that require the user\u2019s privilege level. The weakness corresponds to CWE\u201179, improper neutralization of input during web page generation.", "risk_and_exploitability": "The publicly reported EPSS score is below 1 percent and the vulnerability has not appeared in the CISA Known Exploited Vulnerabilities catalog, indicating a relatively low likelihood of widespread exploitation. However, because the flaw can be triggered by a crafted HTTP request without additional privileges, the risk to exposed users remains moderate. Organizations using the vulnerable Staffwiki build should treat the issue as a medium\u2011severity concern, monitor for related attacks, and apply mitigations as soon as possible."}}}}, "created": "2026-03-27T08:36:25.838319+00:00", "title": "Cross\u2011Site Scripting in Staffwiki v7.0.1.19219", "updated": "2026-03-29T20:28:08.062009+00:00", "vendors": ["cmoncrook", "cmoncrook$PRODUCT$staffwiki"], "weaknesses": ["CWE-79"]}