CVE-2026-57387 in picuinfo

Summary

by MITRE • 07/13/2026

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in picu picu picu allows Stored XSS.This issue affects picu: from n/a through <= 3.5.1.

If you want to get best quality of vulnerability data, you may have to visit VulDB.

Analysis

by VulDB Data Team • 07/13/2026

This cross-site scripting vulnerability stems from inadequate input validation and sanitization within the web page generation process of the picu picu picu application. The flaw represents a classic stored XSS vulnerability where malicious script code can be persistently injected into the application's database or storage mechanisms and subsequently executed whenever legitimate users access affected pages. The vulnerability exists in versions of the software from n/a through version 3.5.1, indicating a prolonged period during which the application remained susceptible to this type of attack vector. According to CWE-79, this corresponds to improper neutralization of input during web page generation, which directly enables malicious actors to inject client-side scripts that execute in the context of other users' browsers.

The technical implementation of this vulnerability occurs when user-supplied data is not properly sanitized before being rendered back to users within web pages. Attackers can exploit this weakness by submitting malicious payloads through input fields or parameters that are then stored server-side and later displayed without adequate filtering or encoding. When other users view the affected content, their browsers execute the injected scripts, potentially leading to session hijacking, credential theft, or redirection to malicious sites. The stored nature of this vulnerability means that the malicious code persists beyond the initial injection point and can affect multiple users over time.

The operational impact of this vulnerability extends beyond simple data theft or defacement. An attacker with successful exploitation could establish persistent backdoors within user sessions, potentially gaining access to sensitive information or performing unauthorized actions on behalf of victims. The vulnerability undermines the fundamental security principle of input validation and demonstrates a critical failure in the application's defense-in-depth strategy. This weakness can be particularly damaging when combined with other attack vectors or when the application handles sensitive user data or administrative functions.

Mitigation strategies should focus on implementing comprehensive input sanitization and output encoding mechanisms throughout the application's data flow. The recommended approach includes employing strict content security policies, implementing proper HTML escaping for all dynamic content, and utilizing secure coding practices such as those outlined in the OWASP Top Ten and MITRE ATT&CK framework. Organizations should also consider implementing web application firewalls, regular security code reviews, and automated vulnerability scanning to identify similar weaknesses. Version updates and patches should be applied immediately upon availability, with particular attention to the specific version range affected by this vulnerability. Additionally, user education regarding suspicious website behavior and maintaining updated browser security settings can provide additional defense layers against exploitation attempts.

Responsible

Patchstack

Reservation

06/24/2026

Disclosure

07/13/2026

Moderation

accepted

CPE

ready

EPSS

0.00251

KEV

no

Activities

low

Sources

Want to know what is going to be exploited?

We predict KEV entries!