PT-2026-41388 · Unknown · Nukeviet Cms
Beetrio189
·
Published
2026-05-15
·
Updated
2026-05-23
·
CVE-2026-41147
CVSS v3.1
8.7
High
| Vector | AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N |
Name of the Vulnerable Software and Affected Versions
NukeViet CMS versions prior to 4.5.08
Description
Stored Cross-Site Scripting (XSS) occurs due to insufficient server-side input sanitization in the Request class. The application relies on client-side filtering to sanitize HTML tags and attributes, which can be bypassed by modifying HTTP requests. This allows an anonymous visitor to inject malicious payloads that are stored on the server and executed in the browser of any user viewing the content, such as administrators or moderators reviewing comments or contact messages. Potential impacts include session hijacking through cookie theft, unauthorized actions performed under the victim's identity, defacement, redirection to phishing pages, and phishing via manipulated email notifications.
Recommendations
Update to version 4.5.08.
Implement server-side HTML sanitization in the Request class to strip or encode dangerous tags and attributes such as
<iframe>, srcdoc, and event handlers like onerror or onload.
Enforce a Content Security Policy (CSP) to restrict inline script execution.
Set cookies with the HttpOnly flag to mitigate cookie theft.Fix
XSS
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Nukeviet Cms