CVE-2026-0518

Published Jan 17, 2026

Last updated a month ago

CVSS medium 4.8

Overview

Description
CVE-2026-0518 is a cross-site scripting vulnerability in versions of Secure Access prior to 14.20. An attacker with administrative privileges can interfere with another administrator’s use of the console.
Source
SecurityResponse@netmotionsoftware.com
NVD status
Analyzed
Products
secure_access

Risk scores

CVSS 4.0

Type
Secondary
Base score
4.8
Impact score
-
Exploitability score
-
Vector string
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Severity
MEDIUM

CVSS 3.1

Type
Primary
Base score
4.8
Impact score
2.7
Exploitability score
1.7
Vector string
CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
Severity
MEDIUM

Weaknesses

134c704f-9b21-4f2e-91b3-4a467353bcc0
CWE-79

Social media

Hype score
Not currently trending

Configurations

Related CVEs

  1. In Secure Access 12.70 and prior to 14.20, the logging subsystem may write an unredacted authentication token to logs under certain configurations. Any party with access to those logs could read the token and reuse it to access an integrated system.CVE-2026-0519
  2. CVE-2026-0517 is a denial-of-service vulnerability in versions of Secure Access Server prior to 14.20. An attacker can send a specially crafted packet to a server and cause the server to crashCVE-2026-0517
  3. CVE-2025-59596 is a denial-of-service vulnerability in Secure Access Windows client versions 12.0 to 14.10 that is addressed in version 14.12. If a local networking policy is active, attackers on an adjacent network may be able to send a crafted packet and cause the client system to crash.CVE-2025-59596
  4. CVE-2025-59595 is an internally discovered denial of service vulnerability in versions of Secure Access prior to 14.12. An attacker can send a specially crafted packet to a server in a non-default configuration and cause the server to crash.CVE-2025-59595
  5. CVE-2025-54089 is a cross-site scripting vulnerability in versions of secure access prior to 14.10. Attackers with administrative access to the console can interfere with another administrator’s access to the console. The attack complexity is low; there are no attack requirements. Privileges required to execute the attack are high and the victim must actively participate in the attack sequence. There is no impact to confidentiality or availability, there is a low impact to integrity.CVE-2025-54089

References

Sources include official advisories and independent security research.