Nicholas Abraham

**Name of the Vulnerable Software and Affected Versions** Nukegraphic CMS version 3.1.2 **Description** Nukegraphic CMS version 3.1.2 has a stored cross-site scripting (XSS) issue in the user profile edit functionality located at the `/ngc-cms/user-edit-profile.php` API endpoint. The application does not properly sanitize user input in the `name` field before storing it in the database and displaying it on various CMS pages. An authenticated attacker with low privileges can inject malicious JavaScript payloads through a profile edit request. These payloads are then executed site-wide whenever the affected user's name is displayed, allowing the attacker to execute arbitrary JavaScript in the context of other users' sessions, potentially leading to session hijacking or credential theft. **Recommendations** Nukegraphic CMS version 3.1.2: Update to a newer, fixed version of the software.