Skip to main content

Matcha Sns CVE-2026-27787

| EUVDEUVD-2026-20052 MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2026-04-08 jpcert GHSA-wm9p-h6hw-5vx8
5.1
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
5.1 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
P
Scope
X

Lifecycle Timeline

3
EUVD ID Assigned
Apr 08, 2026 - 05:30 euvd
EUVD-2026-20052
Analysis Generated
Apr 08, 2026 - 05:30 vuln.today
CVE Published
Apr 08, 2026 - 05:11 nvd
MEDIUM 5.1

DescriptionCVE.org

Cross-site scripting vulnerability exists in MATCHA SNS 1.3.9 and earlier. If this vulnerability is exploited, an arbitrary script may be executed on the web browser of the user who accessed the website using the product.

AnalysisAI

Stored cross-site scripting (XSS) in MATCHA SNS 1.3.9 and earlier allows authenticated users to inject arbitrary scripts that execute in the browsers of other users accessing affected pages, potentially leading to session hijacking, credential theft, or malware distribution. CVSS 5.4 reflects the requirement for user interaction and authenticated access; no public exploit code or active exploitation has been identified at the time of analysis.

Technical ContextAI

MATCHA SNS is a social networking platform developed by ICZ Corporation. The vulnerability stems from improper input validation or output encoding (CWE-79: Improper Neutralization of Input During Web Page Generation), a classic stored XSS flaw where user-supplied data is persisted in the application's database and rendered in HTML responses without proper sanitization. The CVSS vector (AV:N/AC:L/PR:L) indicates the vulnerability requires network access and an authenticated account (PR:L), but no special configuration complexity (AC:L). The UI:R flag shows user interaction is required-a victim must view a page containing the injected payload. The scope change (S:C) means the impact extends beyond the vulnerable component to affect other users' sessions or browser security domains.

RemediationAI

Upgrade MATCHA SNS to a version later than 1.3.9; consult the vendor advisory at https://oss.icz.co.jp/news/?p=1388 for exact patched version availability and download instructions. If immediate upgrade is not feasible, implement Content Security Policy (CSP) headers with script-src 'self' to mitigate stored XSS execution in user browsers, and conduct a code review or use automated SAST tools to identify and sanitize all user input rendering points (comments, profile fields, status updates, etc.). Apply output encoding (HTML entity encoding) to all dynamic content displayed to users. For MATCHA SNS administrators, review user-generated content for malicious scripts and disable or restrict accounts that have injected payloads pending the patch.

Share

CVE-2026-27787 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy