HomeCVE Intelligence › CVE-2026-49259
CVSS 8.7 HIGH Vulnerability

CVE-2026-49259: NukeViet: Improper Neutralization of Input During Web Page Generation ('Cross-site Script…

Summary A stored cross-site scripting (XSS) vulnerability exists in NukeViet CMS versions 4.x through 4.5.08. A low-privileged authenticated user can store a JavaScript payload in their profile's display name fields. Th…

8.7CVSS Score
HIGHSeverity
NOCISA KEV
VulnerabilityImpact Type

📋 Vulnerability Details

CVE IDCVE-2026-49259
Vendorcomposer
Affected Productnukeviet/nukeviet
Vulnerability TypeVulnerability
CVSS Score8.7 (HIGH)
Actively Exploited❌ No known exploitation
Patch StatusSee Vendor Advisory →
Reported ByCYBERDUDEBIVASH SENTINEL APEX Intelligence (via github_advisories)

🔬 Technical Analysis

#

Summary A stored cross-site scripting (XSS) vulnerability exists in NukeViet CMS versions 4.x through 4.5.08. A low-privileged authenticated user can store a JavaScript payload in their profile's display name fields. The payload executes in the browser of any visitor — including administrators — who clicks the Reply ("Answer") link on a comment posted by that user.

Affected Component The {COMMENT.post_name} template variable is interpolated without JavaScript-context escaping into an inline onclick handler in both comment block positions: - themes/default/modules/comment/comment.tpl line 27 (top-level comments)

themes/default/modules/comment/comment.tpl line 64 (nested/reply comments) ``html

onclick="nv_commment_feedback(event, {COMMENT.cid}, '{COMMENT.post_name}')" `

📚 Advisory References

⚡ DETECTION RULES AVAILABLE

Get CVE-2026-49259 Detection Pack

Sigma rules, YARA signatures, IOC table, and SIEM queries for Splunk, Elastic, Sentinel, and Chronicle — deployable in 5 minutes.

✓ Sigma Rules ✓ YARA Pack ✓ IOC Table ✓ SIEM Queries
🛡️ Get Detection Pack → 🔌 Access via API →

🔗 Related Intelligence