CVE-2026-2337

Abstract Advisory Information

A Reflected XSS vulnerability in Plunet Plunet BusinessManager allows session hijacking, data theft, unauthorized actions on behalf of the user.

This issue affects Plunet BusinessManager: 10.15.1

Author: Aymane Chaki

Version affected

Name: Plunet BusinessManager

Versions: 10.15.1

Common Vulnerability Scoring System

Score: 8.7

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:L/SC:L/SI:L/SA:N

Patches

Plunet BusinessManager 10.22.3

https://support.plunet.com/space/KB/567476225/Plunet+Minor+Release+Notes+10.22.3

References

• https://cds.thalesgroup.com/en/tcs-cert/CVE-2026-2337
• https://www.cve.org/CVERecord?id=CVE-2026-2337

Vulnerability Disclosure Timeline

• 25/07/2025: Vulnerability discovery

• 27/08/2025: Vulnerability Report to TCS-CERT

• 14/11/2025: 1st contact to report the vulnerability to plunet through mail

• 26/11/2025: 2nd contact to report the vulnerability to plunet through mail and form contact

• 08/01/2026: 3rd contact to report the vulnerability to plunet through mail

• 15/01/2026: Acknowledge from vendor. 20/01/2026: Vulnerability Report shared to the vendor

• 02/02/2026: Acknowledge from vendor. Security fix released (Plunet BusinessManager [10.22.3])

• 11/02/2026: CVE number assigned

• 11/02/2026: Published CVE with the ID CVE-2026-2337

• 12/02/2026: Expected Vulnerability disclosure