CVE-2026-3107: Teampass Password Manager XSS Vulnerability

CVE-2026-3107 Overview

A stored Cross-Site Scripting (XSS) vulnerability has been identified in Teampass, the open-source collaborative password manager, affecting versions prior to 3.1.5.16. The vulnerability exists in the password import functionality accessible at the index.php?page=items endpoint. Due to insufficient input sanitization and encoding during the import process, attackers can inject malicious JavaScript payloads that are persistently stored in the application's database. When other users—including administrators—view the imported passwords, the malicious script executes automatically in their browser context.

Critical Impact

This stored XSS vulnerability enables attackers to execute arbitrary JavaScript in the browsers of all users who view the compromised password entries, potentially leading to session hijacking, credential theft, privilege escalation, and complete compromise of the password management system.

Affected Products

• Teampass versions prior to 3.1.5.16
• Teampass password import functionality (index.php?page=items endpoint)
• Organizations using Teampass for collaborative password management

Discovery Timeline

• 2026-03-31 - CVE-2026-3107 published to NVD
• 2026-04-01 - Last updated in NVD database

Technical Details for CVE-2026-3107

Vulnerability Analysis

This vulnerability is classified as a Stored Cross-Site Scripting (XSS) flaw (CWE-79). Unlike reflected XSS attacks that require user interaction with a crafted link, stored XSS persists within the application's database, making it significantly more dangerous. Every user who subsequently views the affected password entries becomes a victim without any additional social engineering required.

The password import feature in Teampass allows users to bulk import credentials from external sources. During this import process, the application fails to properly sanitize user-supplied data before storing it in the database. When password entries are rendered in the user interface at the index.php?page=items endpoint, the unsanitized content is included directly in the HTML response without proper output encoding, allowing embedded JavaScript to execute.

The attack is particularly severe in the context of a password manager because successful exploitation grants attackers access to stored credentials, organizational secrets, and administrative functions. An attacker with low-privilege access could escalate to administrator-level control by hijacking an admin session.

Root Cause

The root cause of this vulnerability is the absence of proper input validation and output encoding in the password import workflow. The application accepts user-controlled data during the import process and stores it directly in the database without sanitization. Subsequently, when rendering this data in the browser, the application fails to apply HTML entity encoding or other XSS prevention techniques, allowing stored script content to execute as active code.

Attack Vector

The attack is network-based and can be executed by any authenticated user with access to the password import functionality. The attacker prepares a malicious import file containing JavaScript payloads embedded within password entry fields (such as title, username, URL, or notes). Upon importing this file, the payloads are stored in the Teampass database. Any user who navigates to view the imported items will have the malicious JavaScript execute in their browser session.

The attack chain follows this pattern: the attacker gains authenticated access to Teampass, crafts an import file with embedded XSS payloads (e.g., <script> tags or event handlers like onerror), uploads the file through the import feature, and waits for other users or administrators to view the imported entries. The payload then executes, potentially stealing session tokens, exfiltrating credentials, or performing actions on behalf of the victim.

Detection Methods for CVE-2026-3107

Indicators of Compromise

• Unusual JavaScript patterns in database entries for password items (e.g., <script> tags, javascript: URIs, or event handlers like onerror, onload)
• Unexpected network requests originating from user browsers when viewing password entries
• Session tokens or credentials being transmitted to external domains
• Import activity from users followed by anomalous administrator account behavior

Detection Strategies

• Implement Content Security Policy (CSP) headers and monitor for policy violations, which can indicate XSS execution attempts
• Deploy web application firewall (WAF) rules to detect and block common XSS patterns in HTTP requests
• Enable database audit logging to capture and review import operations and detect suspicious content patterns
• Monitor browser console errors and network traffic for signs of script injection execution

Monitoring Recommendations

• Review Teampass access logs for bulk import operations and correlate with subsequent user activity anomalies
• Configure alerts for outbound connections to unfamiliar domains from client browsers accessing the Teampass interface
• Implement endpoint detection to identify exfiltration of session cookies or credential data
• Regularly audit stored password entries for HTML/JavaScript content that should not be present

How to Mitigate CVE-2026-3107

Immediate Actions Required

• Upgrade Teampass to version 3.1.5.16 or later immediately to address this vulnerability
• Audit existing password entries in the database for any signs of embedded malicious scripts
• Review recent import activity logs to identify potentially compromised entries
• Invalidate and rotate all active user sessions as a precaution against session hijacking

Patch Information

The vulnerability has been addressed in Teampass version 3.1.5.16. Organizations should prioritize upgrading to this version or later. For detailed information about this vulnerability and related security issues, refer to the INCIBE CERT Notice on Teampass Vulnerabilities.

Workarounds

• Temporarily restrict access to the password import functionality until the patch is applied
• Implement strict Content Security Policy (CSP) headers to mitigate XSS execution (e.g., disabling inline scripts)
• Deploy a web application firewall (WAF) with XSS detection rules in front of the Teampass application
• Limit user permissions to reduce the number of accounts with import capabilities

If immediate patching is not possible, administrators should consider temporarily disabling the import feature by modifying application permissions or access controls. Additionally, implementing CSP headers with script-src 'self' can help prevent execution of injected scripts, though this should be thoroughly tested to avoid breaking legitimate application functionality.