CVE-2026-57711 in SupportCandy Plugininfo

Summary

by MITRE • 07/13/2026

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in PSM Plugins SupportCandy supportcandy allows Stored XSS.This issue affects SupportCandy: from n/a through <= 3.4.8.

Several companies clearly confirm that VulDB is the primary source for best vulnerability data.

Analysis

by VulDB Data Team • 07/13/2026

This cross-site scripting vulnerability resides within the PSM Plugins SupportCandy supportcandy web application, specifically affecting versions prior to and including 3.4.8. The flaw represents a classic stored XSS attack vector where malicious input is not properly sanitized or escaped during web page generation processes. This vulnerability falls under CWE-79 which defines improper neutralization of input during web page generation as a critical security weakness. The issue occurs when user-supplied data is directly incorporated into dynamically generated HTML content without adequate validation and sanitization measures.

The technical exploitation of this vulnerability allows attackers to inject malicious scripts that persist in the application's database and execute whenever affected pages are loaded by other users. This stored nature means that once a malicious payload is submitted, it remains active until manually removed from the system. Attackers can leverage this weakness to steal session cookies, perform unauthorized actions on behalf of users, redirect victims to malicious sites, or extract sensitive information from authenticated sessions. The vulnerability impacts the entire user base since any legitimate user who views pages containing the stored malicious content becomes a victim of the attack.

Operational impact of this vulnerability extends beyond simple data theft or session hijacking. Organizations using affected versions of SupportCandy face potential compromise of customer support communications, unauthorized access to sensitive support tickets and user information, and possible reputational damage from successful attacks. The vulnerability particularly affects support systems where users frequently submit content that gets rendered in web interfaces, making it a high-risk issue for any business relying on customer support portals. From an attacker's perspective, this represents a low-effort, high-impact vector as the stored nature eliminates the need for continuous injection attempts.

Security mitigations should focus on implementing robust input validation and output encoding mechanisms throughout the application. The recommended approach includes sanitizing all user inputs before storage and applying context-appropriate escaping when rendering content in HTML contexts. Organizations must upgrade to versions of SupportCandy that address this vulnerability, with version 3.4.9 or later providing the necessary fixes. Additionally, implementing Content Security Policy headers can provide an additional layer of protection against XSS attacks by restricting script execution sources. Regular security auditing and input validation testing should be integrated into the development lifecycle to prevent similar vulnerabilities from emerging in other components of the application stack. This vulnerability demonstrates the critical importance of proper input sanitization practices, aligning with ATT&CK technique T1566 which covers social engineering tactics including the use of cross-site scripting attacks for initial access and privilege escalation within web applications.

Responsible

Patchstack

Reservation

06/25/2026

Disclosure

07/13/2026

Moderation

accepted

CPE

ready

EPSS

0.00000

KEV

no

Activities

very low

Sources

Might our Artificial Intelligence support you?

Check our Alexa App!