CVE-2026-2344

Abstract Advisory Information

The application contains a Stored Cross-Site Scripting (XSS) vulnerability within its user profile management features. This flaw could allow an attacker to inject and store malicious scripts that execute in the context of other users' browsers. Successful exploitation may lead to unauthorized actions being performed on behalf of privileged users.

Author: Aymane Chaki

Version affected

Name: Plunet BusinessManager

Versions: 10.15.1

Common Vulnerability Scoring System

Score: 8.6

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:L/SC:L/SI:L/SA:N      

Patches

Plunet BusinessManager 10.20

https://support.plunet.com/space/KB/362741761/Plunet+Minor+Release+Notes+10.20.0

References

• https://cds.thalesgroup.com/en/tcs-cert/CVE-2026-2344

Vulnerability Disclosure Timeline

• 25/07/2025: Vulnerability discovery

• 27/08/2025: Vulnerability Report to TCS-CERT

• 14/11/2025: 1st contact to report the vulnerability to plunet through mail

• 26/11/2025: 2nd contact to report the vulnerability to plunet through mail and form contact

• 08/01/2026: 3rd contact to report the vulnerability to plunet through mail

• 15/01/2026: Acknowledge from vendor.

• 20/01/2026: Vulnerability Report shared to the vendor

• 02/02/2026: Acknowledge from vendor. Affected Feature proactively removed (Plunet BusinessManager [10.20])

• 11/02/2026: CVE number assigned

• 11/02/2026: Published CVE with the ID CVE-2026-2344

• 12/02/2026: Expected Vulnerability disclosure