What is CVE-2026-28110?

A high-severity reflected Cross-site Scripting (XSS) vulnerability exists in LambertGroup's AllInOne Banner with Playlist plugin. Organizations should prioritize patching to mitigate risks associated with this vulnerability.

What is the severity of CVE-2026-28110?

CVE-2026-28110 has a severity rating of HIGH with a CVSS base score of 7.1.

CVE-2026-28110 | High Vulnerability in LambertGroup AllInOne Banner with Playlist

CVE-2026-28110 is a high-severity vulnerability classified as a reflected Cross-site Scripting (XSS) issue affecting LambertGroup's AllInOne Banner with Playlist plugin. The vulnerability arises from improper neutralization of input during web page generation, which can lead to exploitation via crafted requests. The CVSS score for this vulnerability is 7.1, indicating a significant risk to affected systems.

Risk to organizations includes unauthorized access and data manipulation, which can occur if an attacker successfully exploits this vulnerability. As it requires user interaction to trigger the attack, organizations that use the affected plugin should be vigilant. The urgency for defenders is high; organizations should address this in their priority patch cycle.

As of now, the exploitation status remains deferred, and there is no indication of known exploits publicly available. However, the impact of an XSS vulnerability can be severe, often leading to further attacks or compromise of user data.

Organizations are urged to monitor the situation closely and implement best practices for web application security to mitigate potential risks associated with this vulnerability.

Vulnerability Details

This vulnerability allows reflected Cross-site Scripting (XSS) in the LambertGroup AllInOne Banner with Playlist plugin, specifically affecting versions from n/a through <= 3.8. The CWE classification for this vulnerability is CWE-79.

The CVSS score of 7.1 categorizes this vulnerability as high severity, emphasizing the need for immediate attention from organizations using the affected plugin.

Technical Analysis

The root cause of CVE-2026-28110 is improper neutralization of input during web page generation, which opens a vector for attackers to inject malicious scripts. The attack vector is network-based, with low attack complexity. Importantly, the exploitation requires no privileges, but it necessitates user interaction to trigger the XSS attack.

The confidentiality impact is low, as is the integrity and availability impact, but the potential for exploitation remains a significant concern for organizations using this plugin.

Risk & Impact Analysis

Real-world deployment risks for this vulnerability include the potential for unauthorized actions or data exposure through XSS attacks. The blast radius can extend to users interacting with the affected plugin, which could lead to broader compromise if user accounts are hijacked.

Organizations using the LambertGroup AllInOne Banner with Playlist plugin should act promptly to apply the necessary patches. Given the CVSS score of 7.1 and the potential for exploitation, organizations should prioritize patching immediately.

Exploitation Status

Signal	Status
Known Exploit	No
Public PoC	No
Actively Exploited	No
Ransomware Use	No

Affected Versions

The affected versions of the LambertGroup AllInOne Banner with Playlist plugin range from n/a up to and including version 3.8.

Mitigation & Remediation

Organizations should prioritize patching the LambertGroup AllInOne Banner with Playlist plugin to mitigate this vulnerability. Ensure that you upgrade to the latest version available that addresses this issue. If an immediate update is not possible, consider implementing web application firewall rules to block potential exploitation attempts.

Detection Guidance

Monitor application logs for any unusual activity related to user inputs that may indicate attempted XSS attacks. Look for unexpected JavaScript execution or anomalies in user behavior that could suggest exploitation attempts.

AppSecure Threat Intelligence Insight

This vulnerability highlights ongoing challenges in securing web applications against XSS attacks. Security teams should review their web application security practices and incorporate comprehensive testing mechanisms to identify and remediate similar vulnerabilities.

For enhanced security, organizations should consider regular penetration testing and vulnerability assessments to ensure web applications are resilient against such vulnerabilities. Implementing a robust security framework can help mitigate risks and enhance the overall security posture.

Continuous security testing is essential for identifying vulnerabilities before attackers can exploit them.

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

CVE ID	Title	Severity	Vulnerability Type	Published
CVE-2025-65418	CVE-2025-65418: High Vulnerability in docuFORM Managed Print Service Client	HIGH	Path Traversal	May 11, 2026
CVE-2025-65417	CVE-2025-65417: Medium Vulnerability in docuFORM Managed Print Service Client	MEDIUM	XSS	May 11, 2026
CVE-2025-65416	CVE-2025-65416: Medium Vulnerability in docuFORM Managed Print Service Client	MEDIUM	Unrestricted File Upload	May 11, 2026
CVE-2025-65415	CVE-2025-65415: Medium Vulnerability in docuFORM Managed Print Service Client	MEDIUM	Session Fixation	May 11, 2026
CVE-2025-61314	CVE-2025-61314: High Vulnerability in GmbH Mecury Managed Print Services	HIGH	XSS	May 11, 2026

CVE-2026-28110: High Vulnerability in LambertGroup AllInOne Banner with Playlist