CVE-2026-43938

Name of the Vulnerable Software and Affected Versions YetAnotherForum.NET (YAF.NET) versions prior to 4.0.5 YetAnotherForum.NET (YAF.NET) versions prior to 3.2.12

Description Stored Cross-Site Scripting (XSS) occurs when attacker-controlled input is persisted and later rendered without proper sanitization or encoding. In this case, the database logger YAFNET.Core/Logger/DbLogger.cs captures the User-Agent header into a JObject, serializes it, and stores it in the EventLog.Description column during event logging. The admin event-log page YetAnotherForum.NET/Pages/Admin/EventLog.cshtml.cs later deserializes this JSON in the FormatStackTrace() function and interpolates the UserAgent value directly into an HTML string without encoding, which is then emitted via @Html.Raw in the EventLog.cshtml view. An unauthenticated attacker can trigger this by sending a request to the endpoint '/api/Attachments/GetAttachment' with a malicious User-Agent header, causing a server-side exception that logs the payload. When an administrator views the event log, the script executes in their authenticated session, potentially allowing for full forum takeover, creation of administrative accounts, or exfiltration of user data.

Recommendations Update to version 4.0.5 or later. Update to version 3.2.12 or later.