Summary Two filter-bypass techniques in NukeViet\Core\Request::filterAttr() and NukeViet\Core\Request::unhtmlentities() allow a low-privileged user (any account with news post permission) to store and serve arbitrary Ja…
| CVE ID | CVE-2026-54064 |
| Vendor | composer |
| Affected Product | nukeviet/nukeviet |
| Vulnerability Type | Vulnerability |
| CVSS Score | 8.7 (HIGH) |
| Actively Exploited | ❌ No known exploitation |
| Patch Status | See Vendor Advisory → |
| Reported By | CYBERDUDEBIVASH SENTINEL APEX Intelligence (via github_advisories) |
#
NukeViet\Core\Request::filterAttr() and NukeViet\Core\Request::unhtmlentities() allow a low-privileged user (any account with news post permission) to store and serve arbitrary JavaScript to any visitor of the affected page.vendor/vinades/nukeviet/Core/Request.php — class NukeViet\Core\Request\x0C) before event handler name The filterAttr() method blocks event-handler attributes using:``php preg_match('/^on/i', $attrSubSet[0]) ` PHP's trim() does not strip the ASCII Form Feed character (\x0C, U+000C). An attacker can prefix the attribute name with \x0C so that \x0Conerror does not match /^on/. The HTML5 browser parser treats \
Sigma rules, YARA signatures, IOC table, and SIEM queries for Splunk, Elastic, Sentinel, and Chronicle — deployable in 5 minutes.