Platform
php
Component
aureuserp/aureuserp
Fixed in
1.3.0-BETA1
1.3.0-BETA1
CVE-2026-4175 describes a Cross-Site Scripting (XSS) vulnerability discovered in Aureus ERP versions up to 1.2.0. This flaw allows attackers to inject malicious scripts into the application, potentially compromising user sessions and data. The vulnerability resides within the Chatter Message Handler component, specifically in the file plugins/webkul/chatter/resources/views/filament/infolists/components/messages/content-text-entry.blade.php. A fix is available in version 1.3.0-BETA1.
Successful exploitation of CVE-2026-4175 could allow an attacker to execute arbitrary JavaScript code within the context of a user's browser session. This could lead to various malicious actions, including stealing user credentials, redirecting users to phishing sites, or defacing the application's interface. The impact is amplified if the application handles sensitive data or is integrated with other critical systems. While the CVSS score is LOW, the potential for user compromise and data exfiltration remains a significant concern, especially in environments where user awareness is low or security controls are inadequate. The remote nature of the attack makes it easily exploitable.
CVE-2026-4175 was publicly disclosed on 2026-03-16. No public proof-of-concept (PoC) code has been identified at the time of writing, but the relatively straightforward nature of XSS vulnerabilities suggests that a PoC could emerge quickly. The EPSS score is pending evaluation. Monitor security advisories and vulnerability databases for updates and potential exploitation attempts.
Exploit Status
EPSS
0.03% (10% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2026-4175 is to upgrade Aureus ERP to version 1.3.0-BETA1 or later, which contains the necessary patch (2135ee7efff4090e70050b63015ab5e268760ec8). If an immediate upgrade is not feasible, consider implementing input validation and output encoding on the subject and body fields within the Chatter Message Handler component. Web Application Firewalls (WAFs) configured to detect and block XSS payloads can provide an additional layer of defense. Regularly review and update security policies to ensure they address XSS vulnerabilities effectively. After upgrade, confirm the vulnerability is resolved by attempting to inject a simple XSS payload into the message subject or body and verifying that it is properly sanitized.
Update Aureus ERP to version 1.3.0-BETA1 or later. This update corrects the Cross-Site Scripting (XSS) vulnerability in the Chatter Message Handler component. The update includes the patch 2135ee7efff4090e70050b63015ab5e268760ec8.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-4175 is a Cross-Site Scripting (XSS) vulnerability affecting Aureus ERP versions up to 1.2.0, allowing attackers to inject malicious scripts.
You are affected if you are using Aureus ERP versions 1.2.0 or earlier. Upgrade to 1.3.0-BETA1 to mitigate the risk.
Upgrade Aureus ERP to version 1.3.0-BETA1. Implement input validation and output encoding as a temporary workaround if immediate upgrade is not possible.
No active exploitation has been confirmed at this time, but the vulnerability's nature suggests potential for exploitation.
Refer to the Aureus ERP official website or security advisories for the latest information and updates regarding CVE-2026-4175.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.