CVE-2026-41147: NukeViet CMS: Stored Cross-Site Scripting (XSS) via insufficient server-side input saniti…

Impact NukeViet CMS `, which are stored server-side and executed in the browser of any user who views the content. Who is impacted: Administrators and moderators who view user-submitted content (e.g., contact messages,…

8.7CVSS Score

HIGHSeverity

NOCISA KEV

VulnerabilityImpact Type

📋 Vulnerability Details

CVE ID	CVE-2026-41147
Vendor	composer
Affected Product	nukeviet/nukeviet
Vulnerability Type	Vulnerability
CVSS Score	8.7 (HIGH)
Actively Exploited	❌ No known exploitation
Patch Status	See Vendor Advisory →
Reported By	CYBERDUDEBIVASH SENTINEL APEX Intelligence (via github_advisories)

🔬 Technical Analysis

Impact NukeViet CMS `, which are stored server-side and executed in the browser of any user who views the content. Who is impacted:

• Administrators and moderators who view user-submitted content (e.g., contact messages, comments, or any module using the Request class for HTML input).

• The Contact module was used as a proof of concept, but the vulnerability is not limited to this module.

• No authentication is required to exploit this vulnerability, making it accessible to any anonymous visitor. Potential impact includes:

• Session hijacking via cookie theft (for non-HttpOnly cookies)

• Performing actions on the application under the victim's identity

• Defacement or redirection to phishing pages

• Phishing attacks via manipulated email notifications

Patches This vulnerabi

📚 Advisory References

⚡ DETECTION RULES AVAILABLE

Get CVE-2026-41147 Detection Pack

Sigma rules, YARA signatures, IOC table, and SIEM queries for Splunk, Elastic, Sentinel, and Chronicle — deployable in 5 minutes.

✓ Sigma Rules ✓ YARA Pack ✓ IOC Table ✓ SIEM Queries

🛡️ Get Detection Pack → 🔌 Access via API →