Search criteria
2 vulnerabilities found for web application by Wix
CVE-2026-2276 (GCVE-0-2026-2276)
Vulnerability from cvelistv5 – Published: 2026-02-12 10:26 – Updated: 2026-02-13 09:10
VLAI?
Title
Reflected Cross-Site Scripting in the Wix web application
Summary
Reflected Cross-Site Scripting (XSS) vulnerability in the Wix web application, where the endpoint ' https://manage.wix.com/account/account-settings ', responsible for uploading SVG images, does not properly sanitize the content. An authenticated attacker could upload an SVG file containing embedded JavaScript code, which is stored and subsequently executed when other users view the image. Exploiting this vulnerability allows arbitrary code to be executed in the context of the victim's browser, which could lead to the disclosure of sensitive information or the abuse of the affected user's session.
Severity ?
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Wix | web application |
Affected:
All versions
|
Credits
Miguel Jiménez Cámara
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-2276",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-02-12T14:18:24.300262Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-02-12T14:18:39.272Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "web application",
"vendor": "Wix",
"versions": [
{
"status": "affected",
"version": "All versions"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:wix:web_application:all_versions:*:*:*:*:*:*:*",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "OR"
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Miguel Jim\u00e9nez C\u00e1mara"
}
],
"datePublic": "2026-02-12T10:11:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Reflected Cross-Site Scripting (XSS) vulnerability in the Wix web application, where the endpoint \u0027\u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://manage.wix.com/account/account-settings\"\u003ehttps://manage.wix.com/account/account-settings\u003c/a\u003e\u0027, responsible for uploading SVG images, does not properly sanitize the content. An authenticated attacker could upload an SVG file containing embedded JavaScript code, which is stored and subsequently executed when other users view the image. Exploiting this vulnerability allows arbitrary code to be executed in the context of the victim\u0027s browser, which could lead to the disclosure of sensitive information or the abuse of the affected user\u0027s session."
}
],
"value": "Reflected Cross-Site Scripting (XSS) vulnerability in the Wix web application, where the endpoint \u0027 https://manage.wix.com/account/account-settings \u0027, responsible for uploading SVG images, does not properly sanitize the content. An authenticated attacker could upload an SVG file containing embedded JavaScript code, which is stored and subsequently executed when other users view the image. Exploiting this vulnerability allows arbitrary code to be executed in the context of the victim\u0027s browser, which could lead to the disclosure of sensitive information or the abuse of the affected user\u0027s session."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "LOW",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or \u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-02-13T09:10:47.744Z",
"orgId": "0cbda920-cd7f-484a-8e76-bf7f4b7f4516",
"shortName": "INCIBE"
},
"references": [
{
"url": "https://www.incibe.es/en/incibe-cert/notices/aviso/reflected-cross-site-scripting-wix-web-application"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "No solution has been reported at this time.\u003cbr\u003e"
}
],
"value": "No solution has been reported at this time."
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Reflected Cross-Site Scripting in the Wix web application",
"x_generator": {
"engine": "Vulnogram 0.5.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "0cbda920-cd7f-484a-8e76-bf7f4b7f4516",
"assignerShortName": "INCIBE",
"cveId": "CVE-2026-2276",
"datePublished": "2026-02-12T10:26:04.359Z",
"dateReserved": "2026-02-10T13:03:46.213Z",
"dateUpdated": "2026-02-13T09:10:47.744Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-2276 (GCVE-0-2026-2276)
Vulnerability from nvd – Published: 2026-02-12 10:26 – Updated: 2026-02-13 09:10
VLAI?
Title
Reflected Cross-Site Scripting in the Wix web application
Summary
Reflected Cross-Site Scripting (XSS) vulnerability in the Wix web application, where the endpoint ' https://manage.wix.com/account/account-settings ', responsible for uploading SVG images, does not properly sanitize the content. An authenticated attacker could upload an SVG file containing embedded JavaScript code, which is stored and subsequently executed when other users view the image. Exploiting this vulnerability allows arbitrary code to be executed in the context of the victim's browser, which could lead to the disclosure of sensitive information or the abuse of the affected user's session.
Severity ?
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Wix | web application |
Affected:
All versions
|
Credits
Miguel Jiménez Cámara
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-2276",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-02-12T14:18:24.300262Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-02-12T14:18:39.272Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "web application",
"vendor": "Wix",
"versions": [
{
"status": "affected",
"version": "All versions"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:wix:web_application:all_versions:*:*:*:*:*:*:*",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "OR"
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Miguel Jim\u00e9nez C\u00e1mara"
}
],
"datePublic": "2026-02-12T10:11:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Reflected Cross-Site Scripting (XSS) vulnerability in the Wix web application, where the endpoint \u0027\u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://manage.wix.com/account/account-settings\"\u003ehttps://manage.wix.com/account/account-settings\u003c/a\u003e\u0027, responsible for uploading SVG images, does not properly sanitize the content. An authenticated attacker could upload an SVG file containing embedded JavaScript code, which is stored and subsequently executed when other users view the image. Exploiting this vulnerability allows arbitrary code to be executed in the context of the victim\u0027s browser, which could lead to the disclosure of sensitive information or the abuse of the affected user\u0027s session."
}
],
"value": "Reflected Cross-Site Scripting (XSS) vulnerability in the Wix web application, where the endpoint \u0027 https://manage.wix.com/account/account-settings \u0027, responsible for uploading SVG images, does not properly sanitize the content. An authenticated attacker could upload an SVG file containing embedded JavaScript code, which is stored and subsequently executed when other users view the image. Exploiting this vulnerability allows arbitrary code to be executed in the context of the victim\u0027s browser, which could lead to the disclosure of sensitive information or the abuse of the affected user\u0027s session."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "LOW",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or \u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-02-13T09:10:47.744Z",
"orgId": "0cbda920-cd7f-484a-8e76-bf7f4b7f4516",
"shortName": "INCIBE"
},
"references": [
{
"url": "https://www.incibe.es/en/incibe-cert/notices/aviso/reflected-cross-site-scripting-wix-web-application"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "No solution has been reported at this time.\u003cbr\u003e"
}
],
"value": "No solution has been reported at this time."
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Reflected Cross-Site Scripting in the Wix web application",
"x_generator": {
"engine": "Vulnogram 0.5.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "0cbda920-cd7f-484a-8e76-bf7f4b7f4516",
"assignerShortName": "INCIBE",
"cveId": "CVE-2026-2276",
"datePublished": "2026-02-12T10:26:04.359Z",
"dateReserved": "2026-02-10T13:03:46.213Z",
"dateUpdated": "2026-02-13T09:10:47.744Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}