CVE-2026-43939

Name of the Vulnerable Software and Affected Versions YetAnotherForum.NET (YAF.NET) versions prior to 4.0.5 YetAnotherForum.NET (YAF.NET) versions prior to 3.2.12

Description The thread posting and reply feature allows user-supplied content to be stored server-side and rendered on the thread page without adequate HTML sanitization or contextual output encoding. This leads to Stored Cross-Site Scripting (XSS), where an attacker can inject arbitrary JavaScript that executes in the browser of any user viewing the affected content. This can result in session or auth-cookie theft, account takeover, forced privileged actions, credential phishing, forum defacement, or malware delivery. The issue is triggered when a post or reply contains a payload, such as "><img src=x onerror=prompt(0)>, which breaks the HTML context and executes the script automatically upon page load.

Recommendations Update to version 4.0.5. Update to version 3.2.12.