CVE-2026-23819 - Vulnerability Details - OpenCVE

A vulnerability in the web-based management interface of Access Points running AOS-10 and AOS-8 Instant could allow an unauthenticated remote attacker to execute arbitrary JavaScript code in a victim's browser within the same local network. Successful exploitation could allow an attacker to compromise user data and potentially manipulate device configuration settings.

No CVSS v4.0

Attack Vector Adjacent Network

Attack Complexity Low

Privileges Required None

Scope Changed

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Exploitation none

Automatable no

Technical Impact partial

Vendors	Products
Hpe	Arubaos

No data.

No data.

References

Link	Providers
https://support.hpe.com/hpesc/public/docDisplay?docId=hpesbnw05049en_us&docLocale=en_US

History

Wed, 13 May 2026 11:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Hpe Hpe arubaos
Vendors & Products		Hpe Hpe arubaos

Tue, 12 May 2026 20:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-79
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Tue, 12 May 2026 19:00:00 +0000

Type	Values Removed	Values Added
Description		A vulnerability in the web-based management interface of Access Points running AOS-10 and AOS-8 Instant could allow an unauthenticated remote attacker to execute arbitrary JavaScript code in a victim's browser within the same local network. Successful exploitation could allow an attacker to compromise user data and potentially manipulate device configuration settings.
Title		Error in SSID Processing allows Stored XSS in Web Management Interface
References		https://support.hpe.com/hpesc/public/docDisplay?docId=hpesbnw05049en_us&docLocale=en_US
Metrics		cvssV3_1 `{'score': 8.8, 'vector': 'CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H'}`

MITRE

Status: PUBLISHED

Assigner: hpe

Published: 2026-05-12T18:31:33.726Z

Updated: 2026-05-12T19:31:00.149Z

Reserved: 2026-01-16T15:22:49.224Z

Link: CVE-2026-23819

Vulnrichment

Updated: 2026-05-12T19:30:55.704Z

NVD

Status : Awaiting Analysis

Published: 2026-05-12T19:16:28.603

Modified: 2026-05-13T15:35:17.550

Link: CVE-2026-23819

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-23819", "assignerOrgId": "eb103674-0d28-4225-80f8-39fb86215de0", "state": "PUBLISHED", "assignerShortName": "hpe", "dateReserved": "2026-01-16T15:22:49.224Z", "datePublished": "2026-05-12T18:31:33.726Z", "dateUpdated": "2026-05-12T19:31:00.149Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "eb103674-0d28-4225-80f8-39fb86215de0", "shortName": "hpe", "dateUpdated": "2026-05-12T18:31:33.726Z"}, "title": "Error in SSID Processing allows Stored XSS in Web Management Interface", "affected": [{"vendor": "Hewlett Packard Enterprise (HPE)", "product": "ArubaOS (AOS)", "versions": [{"status": "affected", "version": "10.8.0.0", "versionType": "semver"}, {"status": "affected", "version": "10.7.0.0", "lessThanOrEqual": "10.7.2.2", "versionType": "semver"}, {"status": "affected", "version": "10.4.0.0", "lessThanOrEqual": "10.4.1.10", "versionType": "semver"}, {"status": "affected", "version": "8.13.0.0", "lessThanOrEqual": "8.13.1.1", "versionType": "semver"}, {"status": "affected", "version": "8.12.0.0", "lessThanOrEqual": "8.12.0.6", "versionType": "semver"}, {"status": "affected", "version": "8.10.0.0", "lessThanOrEqual": "8.10.0.21", "versionType": "semver"}], "defaultStatus": "affected"}], "descriptions": [{"lang": "en", "value": "A vulnerability in the web-based management interface of Access Points running AOS-10 and AOS-8 Instant could allow an unauthenticated remote attacker to execute arbitrary JavaScript code in a victim's browser within the same local network. Successful exploitation could allow an attacker to compromise user data and potentially manipulate device configuration settings.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "<p>A vulnerability in the web-based management interface of Access Points running AOS-10 and AOS-8 Instant could allow an unauthenticated remote attacker to execute arbitrary JavaScript code in a victim's browser within the same local network. Successful exploitation could allow an attacker to compromise user data and potentially manipulate device configuration settings.</p>"}]}], "references": [{"url": "https://support.hpe.com/hpesc/public/docDisplay?docId=hpesbnw05049en_us&docLocale=en_US"}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV3_1": {"version": "3.1", "attackVector": "ADJACENT_NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH", "baseSeverity": "HIGH", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H"}}], "credits": [{"lang": "en", "value": "Michael Messner", "type": "reporter"}, {"lang": "en", "value": "Benedikt Kuehne", "type": "reporter"}, {"lang": "en", "value": "Caio Adler Goncalves Farias", "type": "reporter"}, {"lang": "en", "value": "Siemens Energy", "type": "sponsor"}], "source": {"advisory": "HPESBNW05049", "discovery": "EXTERNAL"}, "x_generator": {"engine": "Vulnogram 0.2.0"}}, "adp": [{"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-79", "lang": "en", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-05-12T19:30:46.532539Z", "id": "CVE-2026-23819", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-05-12T19:31:00.149Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-23819", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-05-12T19:30:46.532539Z"}}}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-05-12T19:30:55.704Z"}}], "cna": {"title": "Error in SSID Processing allows Stored XSS in Web Management Interface", "source": {"advisory": "HPESBNW05049", "discovery": "EXTERNAL"}, "credits": [{"lang": "en", "type": "reporter", "value": "Michael Messner"}, {"lang": "en", "type": "reporter", "value": "Benedikt Kuehne"}, {"lang": "en", "type": "reporter", "value": "Caio Adler Goncalves Farias"}, {"lang": "en", "type": "sponsor", "value": "Siemens Energy"}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 8.8, "attackVector": "ADJACENT_NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Hewlett Packard Enterprise (HPE)", "product": "ArubaOS (AOS)", "versions": [{"status": "affected", "version": "10.8.0.0", "versionType": "semver"}, {"status": "affected", "version": "10.7.0.0", "versionType": "semver", "lessThanOrEqual": "10.7.2.2"}, {"status": "affected", "version": "10.4.0.0", "versionType": "semver", "lessThanOrEqual": "10.4.1.10"}, {"status": "affected", "version": "8.13.0.0", "versionType": "semver", "lessThanOrEqual": "8.13.1.1"}, {"status": "affected", "version": "8.12.0.0", "versionType": "semver", "lessThanOrEqual": "8.12.0.6"}, {"status": "affected", "version": "8.10.0.0", "versionType": "semver", "lessThanOrEqual": "8.10.0.21"}], "defaultStatus": "affected"}], "references": [{"url": "https://support.hpe.com/hpesc/public/docDisplay?docId=hpesbnw05049en_us&docLocale=en_US"}], "x_generator": {"engine": "Vulnogram 0.2.0"}, "descriptions": [{"lang": "en", "value": "A vulnerability in the web-based management interface of Access Points running AOS-10 and AOS-8 Instant could allow an unauthenticated remote attacker to execute arbitrary JavaScript code in a victim's browser within the same local network. Successful exploitation could allow an attacker to compromise user data and potentially manipulate device configuration settings.", "supportingMedia": [{"type": "text/html", "value": "<p>A vulnerability in the web-based management interface of Access Points running AOS-10 and AOS-8 Instant could allow an unauthenticated remote attacker to execute arbitrary JavaScript code in a victim's browser within the same local network. Successful exploitation could allow an attacker to compromise user data and potentially manipulate device configuration settings.</p>", "base64": false}]}], "providerMetadata": {"orgId": "eb103674-0d28-4225-80f8-39fb86215de0", "shortName": "hpe", "dateUpdated": "2026-05-12T18:31:33.726Z"}}}, "cveMetadata": {"cveId": "CVE-2026-23819", "state": "PUBLISHED", "dateUpdated": "2026-05-12T19:31:00.149Z", "dateReserved": "2026-01-16T15:22:49.224Z", "assignerOrgId": "eb103674-0d28-4225-80f8-39fb86215de0", "datePublished": "2026-05-12T18:31:33.726Z", "assignerShortName": "hpe"}, "dataVersion": "5.2"}