Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Admin credentials required (PR:H), victim must view content (UI:R), XSS crosses into victim browser session (S:C) with low confidentiality and integrity impact.
Primary rating from Vendor (VulDB).
CVSS VectorVendor: VulDB
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
3DescriptionCVE.org
A vulnerability was found in MyEMS up to 6.4.0. The affected element is the function on_post of the file myems-api/core/svg.py of the component Admin Backend. The manipulation of the argument new_values['data'] results in cross site scripting. The attack can be launched remotely. The exploit has been made public and could be used. Upgrading to version 6.5.0 is sufficient to fix this issue. The patch is identified as 4a97edfbd786c779d0322054833b21ddf54d5b06. It is suggested to upgrade the affected component. The issue report remains open even though there is an official fix for it.
AnalysisAI
Stored cross-site scripting in MyEMS up to 6.4.0 allows a high-privileged attacker to inject malicious script via the new_values['data'] argument in the on_post function of myems-api/core/svg.py within the Admin Backend, which then executes in a victim administrator's browser upon viewing the affected SVG content. The CVSS 4.0 score of 1.9 reflects the limited real-world impact: exploitation requires existing administrative access and victim interaction, constraining this to a privilege-abuse scenario rather than an external intrusion vector. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires the attacker to hold a high-privileged (administrator-level) account on the MyEMS Admin Backend - the CVSS PR:H metric confirms this. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 4.0 base score of 1.9 (vector: AV:N/AC:L/AT:N/PR:H/UI:P) accurately reflects the constrained exploitability of this issue. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An authenticated administrator with access to the MyEMS Admin Backend submits a crafted SVG payload containing embedded JavaScript via the `new_values['data']` parameter of the SVG API endpoint (`myems-api/core/svg.py`). When a second administrator navigates to the admin interface and views the stored SVG content, the injected script executes in their browser session, potentially enabling session hijacking, credential theft, or unauthorized actions performed in the context of the victim administrator. … |
| Remediation | Upgrade MyEMS to version 6.5.0, which contains the official fix applied in commit `4a97edfbd786c779d0322054833b21ddf54d5b06`. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-42780
GHSA-4qw7-r7cw-fwf5