{"api_version":"1","generated_at":"2026-04-22T22:58:54+00:00","cve":"CVE-2021-26263","urls":{"html":"https://cve.report/CVE-2021-26263","api":"https://cve.report/api/cve/CVE-2021-26263.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2021-26263","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2021-26263"},"summary":{"title":"CVE-2021-26263","description":"Cross-site scripting (XSS) issue in Discuss app of Odoo Community 14.0 through 15.0, and Odoo Enterprise 14.0 through 15.0, allows remote attackers to inject arbitrary web script in the browser of a victim, by posting crafted contents.","state":"PUBLIC","assigner":"security@odoo.com","published_at":"2023-04-25 19:15:00","updated_at":"2023-05-05 21:15:00"},"problem_types":["CWE-79"],"metrics":[],"references":[{"url":"https://github.com/odoo/odoo/issues/107693","name":"https://github.com/odoo/odoo/issues/107693","refsource":"MISC","tags":[],"title":"[SEC] CVE-2021-26263 - Cross-site scripting (XSS) issue in Discuss a... · Issue #107693 · odoo/odoo · GitHub","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://www.debian.org/security/2023/dsa-5399","name":"https://www.debian.org/security/2023/dsa-5399","refsource":"MISC","tags":[],"title":"Debian -- Security Information -- DSA-5399-1 odoo","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://www.cve.org/CVERecord?id=CVE-2021-26263","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2021-26263","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[{"cve_year":"2021","cve_id":"26263","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"odoo","cpe5":"odoo","cpe6":"14.0","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"community","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2021","cve_id":"26263","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"odoo","cpe5":"odoo","cpe6":"14.0","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"enterprise","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2021","cve_id":"26263","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"odoo","cpe5":"odoo","cpe6":"15.0","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"community","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2021","cve_id":"26263","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"odoo","cpe5":"odoo","cpe6":"15.0","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"enterprise","cpe11":"*","cpe12":"*","cpe13":"*"}],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[{"cve":"CVE-2021-26263","qid":"181773","title":"Debian Security Update for odoo (DSA 5399-1)"}]},"source_records":{"cve_program":{"data_version":"4.0","data_type":"CVE","data_format":"MITRE","CVE_data_meta":{"ID":"CVE-2021-26263","ASSIGNER":"security@odoo.com","STATE":"PUBLIC"},"description":{"description_data":[{"lang":"eng","value":"Cross-site scripting (XSS) issue in Discuss app of Odoo Community 14.0 through 15.0, and Odoo Enterprise 14.0 through 15.0, allows remote attackers to inject arbitrary web script in the browser of a victim, by posting crafted contents."}]},"problemtype":{"problemtype_data":[{"description":[{"lang":"eng","value":"Cross-site Scripting (XSS)"}]}]},"affects":{"vendor":{"vendor_data":[{"vendor_name":"Odoo","product":{"product_data":[{"product_name":"Odoo Community","version":{"version_data":[{"version_affected":"<=","version_name":"14.0","version_value":"15.0"}]}},{"product_name":"Odoo Enterprise","version":{"version_data":[{"version_affected":"<=","version_name":"14.0","version_value":"15.0"}]}}]}}]}},"references":{"reference_data":[{"url":"https://github.com/odoo/odoo/issues/107693","refsource":"MISC","name":"https://github.com/odoo/odoo/issues/107693"},{"url":"https://www.debian.org/security/2023/dsa-5399","refsource":"MISC","name":"https://www.debian.org/security/2023/dsa-5399"}]},"credits":[{"lang":"eng","value":"Theodoros Malachias"},{"lang":"eng","value":"iamsushi"},{"lang":"eng","value":"Ranjit Pahan"}],"impact":{"cvss":[{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"NONE","baseScore":7.5,"baseSeverity":"HIGH","confidentialityImpact":"NONE","integrityImpact":"HIGH","privilegesRequired":"NONE","scope":"UNCHANGED","userInteraction":"NONE","vectorString":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N","version":"3.0"}]}},"nvd":{"publishedDate":"2023-04-25 19:15:00","lastModifiedDate":"2023-05-05 21:15:00","problem_types":["CWE-79"],"metrics":{"baseMetricV3":{"cvssV3":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"REQUIRED","scope":"CHANGED","confidentialityImpact":"LOW","integrityImpact":"LOW","availabilityImpact":"NONE","baseScore":6.1,"baseSeverity":"MEDIUM"},"exploitabilityScore":2.8,"impactScore":2.7}},"configurations":{"CVE_data_version":"4.0","nodes":[{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:odoo:odoo:14.0:*:*:*:community:*:*:*","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:odoo:odoo:14.0:*:*:*:enterprise:*:*:*","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:odoo:odoo:15.0:*:*:*:community:*:*:*","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:odoo:odoo:15.0:*:*:*:enterprise:*:*:*","cpe_name":[]}]}]}},"legacy_mitre":{"record":{"CveYear":"2021","CveId":"26263","Ordinal":"212565","Title":"CVE-2021-26263","CVE":"CVE-2021-26263","Year":"2021"},"notes":[{"CveYear":"2021","CveId":"26263","Ordinal":"1","NoteData":"** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided.","Type":"Description","Title":null}]}}}