CVE-2026-1953

Name of the Vulnerable Software and Affected Versions Nukegraphic CMS version 3.1.2

Description Nukegraphic CMS version 3.1.2 has a stored cross-site scripting (XSS) issue in the user profile edit functionality located at the /ngc-cms/user-edit-profile.php API endpoint. The application does not properly sanitize user input in the name field before storing it in the database and displaying it on various CMS pages. An authenticated attacker with low privileges can inject malicious JavaScript payloads through a profile edit request. These payloads are then executed site-wide whenever the affected user's name is displayed, allowing the attacker to execute arbitrary JavaScript in the context of other users' sessions, potentially leading to session hijacking or credential theft.

Recommendations Nukegraphic CMS version 3.1.2: Update to a newer, fixed version of the software.