CVE-2026-44961
UnknownCVSS 0.0Exploitation Probability (EPSS)
Low risk22th percentile - higher than 22% of all known CVEs
Summary
The addUser method in the XML-RPC API has a validation bypass introduced in the fix for CVE-2025-55129. API users could create usernames that enabled impersonation or stored XSS attacks.
Risk Assessment
The organization may be exposed to impersonation attacks and XSS attacks, which could lead to data theft or compromise of system integrity.
Recommendation
It is recommended to update to the latest version of the software to eliminate the validation bypass and implement additional security measures.
Original NVD description (English source)
The XML‑RPC API addUser method has a validation bypass introduced in the fix for CVE‑2025‑55129. As a result, API users could create usernames that enabled impersonation or stored XSS attacks. Proper validation has been added where it was missing.

