Skip to main content

MyEMS CVE-2026-15321

| EUVDEUVD-2026-42780 LOW
Cross-site Scripting (XSS) (CWE-79)
2026-07-10 VulDB GHSA-4qw7-r7cw-fwf5
1.9
CVSS 4.0 · Vendor: VulDB

Severity by source

Vendor (VulDB) PRIMARY
1.9 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
4.8 MEDIUM

Admin credentials required (PR:H), victim must view content (UI:R), XSS crosses into victim browser session (S:C) with low confidentiality and integrity impact.

3.1 AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
4.0 AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (VulDB).

CVSS VectorVendor: VulDB

CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
P
Scope
X

Lifecycle Timeline

3
Analysis Generated
Jul 10, 2026 - 04:27 vuln.today
Severity Changed
Jul 10, 2026 - 04:22 NVD
MEDIUM LOW
CVSS changed
Jul 10, 2026 - 04:22 NVD
4.8 (MEDIUM) 1.9 (LOW)

DescriptionCVE.org

A vulnerability was found in MyEMS up to 6.4.0. The affected element is the function on_post of the file myems-api/core/svg.py of the component Admin Backend. The manipulation of the argument new_values['data'] results in cross site scripting. The attack can be launched remotely. The exploit has been made public and could be used. Upgrading to version 6.5.0 is sufficient to fix this issue. The patch is identified as 4a97edfbd786c779d0322054833b21ddf54d5b06. It is suggested to upgrade the affected component. The issue report remains open even though there is an official fix for it.

AnalysisAI

Stored cross-site scripting in MyEMS up to 6.4.0 allows a high-privileged attacker to inject malicious script via the new_values['data'] argument in the on_post function of myems-api/core/svg.py within the Admin Backend, which then executes in a victim administrator's browser upon viewing the affected SVG content. The CVSS 4.0 score of 1.9 reflects the limited real-world impact: exploitation requires existing administrative access and victim interaction, constraining this to a privilege-abuse scenario rather than an external intrusion vector. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain admin credentials via phishing or reuse
Delivery
Authenticate to MyEMS Admin Backend
Exploit
Submit crafted SVG payload via on_post endpoint
Execution
Payload stored server-side in SVG data field
Persist
Second admin views affected SVG content
Impact
Injected JavaScript executes in victim browser

Vulnerability AssessmentAI

Exploitation Exploitation requires the attacker to hold a high-privileged (administrator-level) account on the MyEMS Admin Backend - the CVSS PR:H metric confirms this. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 4.0 base score of 1.9 (vector: AV:N/AC:L/AT:N/PR:H/UI:P) accurately reflects the constrained exploitability of this issue. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An authenticated administrator with access to the MyEMS Admin Backend submits a crafted SVG payload containing embedded JavaScript via the `new_values['data']` parameter of the SVG API endpoint (`myems-api/core/svg.py`). When a second administrator navigates to the admin interface and views the stored SVG content, the injected script executes in their browser session, potentially enabling session hijacking, credential theft, or unauthorized actions performed in the context of the victim administrator. …
Remediation Upgrade MyEMS to version 6.5.0, which contains the official fix applied in commit `4a97edfbd786c779d0322054833b21ddf54d5b06`. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-15321 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy