PT-2026-41388 · Unknown · Nukeviet Cms

Beetrio189

·

Published

2026-05-15

·

Updated

2026-05-23

·

CVE-2026-41147

CVSS v3.1

8.7

High

VectorAV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N
Name of the Vulnerable Software and Affected Versions NukeViet CMS versions prior to 4.5.08
Description Stored Cross-Site Scripting (XSS) occurs due to insufficient server-side input sanitization in the Request class. The application relies on client-side filtering to sanitize HTML tags and attributes, which can be bypassed by modifying HTTP requests. This allows an anonymous visitor to inject malicious payloads that are stored on the server and executed in the browser of any user viewing the content, such as administrators or moderators reviewing comments or contact messages. Potential impacts include session hijacking through cookie theft, unauthorized actions performed under the victim's identity, defacement, redirection to phishing pages, and phishing via manipulated email notifications.
Recommendations Update to version 4.5.08. Implement server-side HTML sanitization in the Request class to strip or encode dangerous tags and attributes such as <iframe>, srcdoc, and event handlers like onerror or onload. Enforce a Content Security Policy (CSP) to restrict inline script execution. Set cookies with the HttpOnly flag to mitigate cookie theft.

Fix

XSS

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2026-41147
GHSA-64RR-PP78-62WW

Affected Products

Nukeviet Cms