Severity by source
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Lifecycle Timeline
3DescriptionCVE.org
Cross Site Scripting (xss) vulnerability in Timo 2.0.3 via crafted links in the title field.
AnalysisAI
Timo 2.0.3 contains a stored cross-site scripting (XSS) vulnerability in the title field that allows unauthenticated remote attackers to inject malicious scripts via crafted links, resulting in session hijacking, credential theft, or malware distribution to other users viewing affected content. Publicly available exploit code exists (referenced via GitHub issue), and the vulnerability is rated CVSS 6.1 with cross-site scope impact, though no evidence of active exploitation in the wild has been confirmed at the time of analysis.
Technical ContextAI
This vulnerability exploits improper input validation and output encoding in Timo 2.0.3's title field handling, classified as CWE-79 (Improper Neutralization of Input During Web Page Generation). The root cause stems from failure to sanitize or escape user-supplied input before rendering it in HTML context, allowing attackers to embed arbitrary JavaScript payloads that execute in the browsers of users who view the crafted content. The affected product Timo (CPE information incomplete in source data) is a web-based application; the vulnerability specifically resides in the data persistence and display layer where user-submitted titles are stored and subsequently rendered without proper context-aware encoding.
RemediationAI
Upgrade Timo to a patched version released by the vendor after disclosure of CVE-2026-30162; consult the official Timo GitHub repository (https://github.com/auntvt/Timo) and NIST NVD entry (https://nvd.nist.gov/vuln/detail/CVE-2026-30162) for exact patch version availability. As an immediate interim control, restrict title field input to a whitelist of safe characters (alphanumeric, spaces, hyphens, underscores), disable HTML rendering in title display contexts, and apply output encoding (HTML entity encoding) to all dynamically rendered title values. Implement a Content Security Policy (CSP) header with strict-dynamic and script-src 'self' to mitigate the impact of any injected scripts. Until patching is available, audit existing content for suspicious or encoded payloads in title fields and consider temporarily disabling the ability to edit titles if the application permits.
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-16187
GHSA-vh39-72c6-788j