Summary A stored cross-site scripting (XSS) vulnerability exists in NukeViet CMS versions 4.x through 4.5.08. A low-privileged authenticated user can store a JavaScript payload in their profile's display name fields. Th…
| CVE ID | CVE-2026-49259 |
| Vendor | composer |
| Affected Product | nukeviet/nukeviet |
| Vulnerability Type | Vulnerability |
| CVSS Score | 8.7 (HIGH) |
| Actively Exploited | ❌ No known exploitation |
| Patch Status | See Vendor Advisory → |
| Reported By | CYBERDUDEBIVASH SENTINEL APEX Intelligence (via github_advisories) |
#
{COMMENT.post_name} template variable is interpolated without JavaScript-context escaping into an inline onclick handler in both comment block positions: - themes/default/modules/comment/comment.tpl line 27 (top-level comments)themes/default/modules/comment/comment.tpl line 64 (nested/reply comments) ``htmlonclick="nv_commment_feedback(event, {COMMENT.cid}, '{COMMENT.post_name}')" `
Sigma rules, YARA signatures, IOC table, and SIEM queries for Splunk, Elastic, Sentinel, and Chronicle — deployable in 5 minutes.