Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
3DescriptionCVE.org
Cross-site scripting vulnerability exists in MATCHA SNS 1.3.9 and earlier. If this vulnerability is exploited, an arbitrary script may be executed on the web browser of the user who accessed the website using the product.
AnalysisAI
Stored cross-site scripting (XSS) in MATCHA SNS 1.3.9 and earlier allows authenticated users to inject arbitrary scripts that execute in the browsers of other users accessing affected pages, potentially leading to session hijacking, credential theft, or malware distribution. CVSS 5.4 reflects the requirement for user interaction and authenticated access; no public exploit code or active exploitation has been identified at the time of analysis.
Technical ContextAI
MATCHA SNS is a social networking platform developed by ICZ Corporation. The vulnerability stems from improper input validation or output encoding (CWE-79: Improper Neutralization of Input During Web Page Generation), a classic stored XSS flaw where user-supplied data is persisted in the application's database and rendered in HTML responses without proper sanitization. The CVSS vector (AV:N/AC:L/PR:L) indicates the vulnerability requires network access and an authenticated account (PR:L), but no special configuration complexity (AC:L). The UI:R flag shows user interaction is required-a victim must view a page containing the injected payload. The scope change (S:C) means the impact extends beyond the vulnerable component to affect other users' sessions or browser security domains.
RemediationAI
Upgrade MATCHA SNS to a version later than 1.3.9; consult the vendor advisory at https://oss.icz.co.jp/news/?p=1388 for exact patched version availability and download instructions. If immediate upgrade is not feasible, implement Content Security Policy (CSP) headers with script-src 'self' to mitigate stored XSS execution in user browsers, and conduct a code review or use automated SAST tools to identify and sanitize all user input rendering points (comments, profile fields, status updates, etc.). Apply output encoding (HTML entity encoding) to all dynamic content displayed to users. For MATCHA SNS administrators, review user-generated content for malicious scripts and disable or restrict accounts that have injected payloads pending the patch.
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-20052
GHSA-wm9p-h6hw-5vx8