A stored cross-site scripting (XSS) vulnerability in the web management interface of the Digi PortServer TS, Digi One SP, Digi One SP IA, and Digi One IA allows a remote, authenticated administrator to inject script into certain system configuration fields. The script subsequently executes in the browser of a user who views the affected pages (CWE-79).
References
History

Fri, 10 Jul 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Digi International
Digi International digi One Ia
Digi International digi One Sp
Digi International digi One Sp Ia
Digi International digi Portserver Ts
Vendors & Products Digi International
Digi International digi One Ia
Digi International digi One Sp
Digi International digi One Sp Ia
Digi International digi Portserver Ts

Tue, 07 Jul 2026 16:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Tue, 07 Jul 2026 15:00:00 +0000

Type Values Removed Values Added
Description A stored cross-site scripting (XSS) vulnerability in the web management interface of the Digi PortServer TS, Digi One SP, Digi One SP IA, and Digi One IA allows a remote, authenticated administrator to inject script into certain system configuration fields. The script subsequently executes in the browser of a user who views the affected pages (CWE-79).
Title Stored Cross-Site Scripting (XSS)
Weaknesses CWE-79
References
Metrics cvssV4_0

{'score': 4.8, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N'}


cve-icon MITRE

Status: PUBLISHED

Assigner: Digi

Published: 2026-07-07T14:32:43.977Z

Updated: 2026-07-07T14:56:24.483Z

Reserved: 2026-06-22T20:33:02.985Z

Link: CVE-2026-12948

cve-icon Vulnrichment

Updated: 2026-07-07T14:56:19.293Z

cve-icon NVD

No data.

cve-icon Redhat

No data.