CVE-2026-4852

Name of the Vulnerable Software and Affected Versions Image Source Control Lite – Show Image Credits and Captions versions prior to 3.9.2

Description Insufficient input sanitization and output escaping in the 'Image Source' attachment field allow authenticated attackers with Author-level access and above to inject arbitrary web scripts. These scripts execute whenever a user accesses an affected page. Stored Cross-Site Scripting is a flaw where a malicious script is permanently stored on the target server.

Recommendations Update to a version newer than 3.9.1.