Changeflow GovPing Data Privacy & Cybersecurity Papercut Vulnerabilities Expose Data Confidenti...
Priority review Notice Added Final

Papercut Vulnerabilities Expose Data Confidentiality, Enable Remote XSS

Favicon for www.cert.ssi.gouv.fr CERT-FR Security Advisories
Published March 31st, 2026
Detected March 31st, 2026
Email

Summary

CERT-FR issued a security advisory warning of multiple vulnerabilities in Papercut MF and NG (versions prior to 25.0.10). The flaws enable data confidentiality breaches and remote indirect cross-site scripting (XSS) attacks. Organizations running affected Papercut versions should update to 25.0.10 immediately to mitigate exploitation risk.

View original document View source feed page

What changed

CERT-FR published Advisory CERTFR-2026-AVI-0377 disclosing two critical vulnerabilities in Papercut print management software: CVE-2026-4794 and CVE-2026-5115. These flaws affect Papercut MF and NG versions prior to 25.0.10, allowing attackers to compromise data confidentiality and execute remote indirect XSS attacks.\n\nOrganizations using Papercut should immediately identify all deployed instances, verify their versions, and apply the vendor's patches to version 25.0.10 or later. Refer to the Papercut security bulletin (papercut-ng-mf-security-bulletin-march-2026) for detailed patch instructions. No specific compliance deadline is stated, but immediate patching is recommended given the active risk to data confidentiality.

What to do next

  1. Identify all Papercut MF and NG deployments and verify current version numbers
  2. Update affected Papercut installations to version 25.0.10 or later using the vendor security bulletin
  3. Monitor CVE-2026-4794 and CVE-2026-5115 for any updates or additional mitigation guidance

Source document (simplified)

Premier Ministre S.G.D.S.N

Agence nationale
de la sécurité des
systèmes d'information

Paris, le 31 mars 2026 N° CERTFR-2026-AVI-0377 Affaire suivie par: CERT-FR

Avis du CERT-FR

Objet: Multiples vulnérabilités dans Papercut

Gestion du document

| Référence | CERTFR-2026-AVI-0377 |
| Titre | Multiples vulnérabilités dans Papercut |
| Date de la première version | 31 mars 2026 |
| Date de la dernière version | 31 mars 2026 |
| Source(s) | Bulletin de sécurité Papercut papercut-ng-mf-security-bulletin-march-2026 du 31 mars 2026 |
Une gestion de version détaillée se trouve à la fin de ce document.

Risques

  • Atteinte à la confidentialité des données
  • Injection de code indirecte à distance (XSS)

Systèmes affectés

  • Papercut MF versions antérieures à 25.0.10
  • Papercut NG versions antérieures à 25.0.10

Résumé

De multiples vulnérabilités ont été découvertes dans Papercut. Elles permettent à un attaquant de provoquer une atteinte à la confidentialité des données et une injection de code indirecte à distance (XSS).

Solutions

Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).

Documentation

Gestion détaillée du document

  1. le 31 mars 2026 Version initiale

Related changes

Favicon for www.cert.ssi.gouv.fr Elastic OpenTelemetry Java Remote Code Execution Vulnerability
Urgent Mar 31, 2026 CERT-FR Security Advisories Data Privacy & Cybersecurity
Favicon for www.cert.ssi.gouv.fr Multiple Edge Vulnerabilities Prior to 146.0.3856.84
Routine Mar 31, 2026 CERT-FR Security Advisories Data Privacy & Cybersecurity
Favicon for www.cert.ssi.gouv.fr Symantec DLP Privilege Escalation Vulnerability
Priority review Mar 31, 2026 CERT-FR Security Advisories Data Privacy & Cybersecurity
Favicon for changeflow.com Zero-Trust Policy Generation via Application Segmentation
Routine Mar 31, 2026 ChangeBridge: Patent Grants - Networking (H04L) Telecom & Technology
Favicon for www.cisa.gov Critical Authentication Bypass in PX4 Autopilot MAVLink Protocol
Urgent Mar 31, 2026 CISA ICS-CERT Advisories Data Privacy & Cybersecurity
Favicon for www.cisa.gov Critical Authentication Bypass Vulnerability in Anritsu Remote Spectrum Monitor
Urgent Mar 31, 2026 CISA ICS-CERT Advisories Data Privacy & Cybersecurity

Source

Favicon for www.cert.ssi.gouv.fr
CERT-FR Security Advisories cert.ssi.gouv.fr/avis
Data Privacy & Cybersecurity
Analysis generated by AI. Source diff and links are from the original.

Classification

Agency
CERT-FR
Published
March 31st, 2026
Instrument
Notice
Legal weight
Non-binding
Stage
Final
Change scope
Minor
Document ID
CERTFR-2026-AVI-0377

Who this affects

Applies to
Technology companies Healthcare providers Educational institutions
Industry sector
5112 Software & Technology 6211 Healthcare Providers 6111 Higher Education
Activity scope
Vulnerability Management Patch Management Enterprise Print Management
Threshold
Papercut MF and NG versions prior to 25.0.10
Geographic scope
France FR

Taxonomy

Primary area
Cybersecurity
Operational domain
IT Security
Compliance frameworks
NIST CSF
Topics
Data Privacy Information Security

Browse Categories

Agriculture & Food Safety 63 AI Regulation 3 Banking & Finance 266 Consumer & Competition 1 Consumer Protection 44 Courts & Legal 360 Data Privacy & Cybersecurity 74 Defense & National Security 52 Education 20 Energy 107 Environment 85 Government & Legislation 327 Healthcare 136 Housing 16 Immigration 9 Insurance 58 Labor & Employment 114 Legal & Courts 1 Pharma & Drug Safety 103 Securities & Markets 104 Tax 65 Tax & Revenue 1 Telecom & Technology 47 Trade & Sanctions 124 Transportation 57

Get Data Privacy & Cybersecurity alerts

Weekly digest. AI-summarized, no noise.

Free. Unsubscribe anytime.

Get alerts for this source

We'll email you when CERT-FR Security Advisories publishes new changes.

Optional. Personalizes your daily digest.

Free. Unsubscribe anytime.