Skip to main content

PbootCMS CVE-2026-36239

MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2026-05-26 mitre
4.3
CVSS 3.1 · Vendor: mitre
Share

Severity by source

Vendor (mitre) PRIMARY
4.3 MEDIUM
AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:L/A:L

Primary rating from Vendor (mitre) · only source for this CVE.

CVSS VectorVendor: mitre

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
Required
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

3
Analysis Generated
May 27, 2026 - 19:42 vuln.today
CVSS changed
May 27, 2026 - 19:37 NVD
4.3 (MEDIUM)
CVE Published
May 26, 2026 - 00:00 nvd
UNKNOWN (no severity yet)

DescriptionCVE.org

PbootCMS v.3.2.11 contains a code injection vulnerability in its site configuration functionality

AnalysisAI

Cross-site scripting (XSS) in PbootCMS v.3.2.11 allows a high-privileged authenticated attacker to inject malicious JavaScript into the site configuration functionality, which executes in the browser of any user who subsequently views the affected configuration page. Despite the description using the term 'code injection,' CWE-79 and the XSS tag confirm this is a stored or reflected XSS class vulnerability, not arbitrary server-side code execution. A GitHub-hosted proof-of-concept exists (TazmiDev/CVE-2026-36239), and no public patch has been identified at time of analysis; no active exploitation has been confirmed by CISA KEV.

Technical ContextAI

PbootCMS is a PHP-based open-source CMS. CWE-79 (Improper Neutralization of Input During Web Page Generation) indicates the application fails to sanitize or encode user-supplied input before rendering it in a browser context, specifically within the site configuration panel. The CVSS vector (AV:N/AC:L/PR:H/UI:R/S:U) confirms network-delivered exploitation requiring high privileges and victim user interaction - consistent with stored XSS where an admin plants a payload that fires when another user loads the configuration view. Notably, the description uses the phrase 'code injection,' which may be imprecise vendor/reporter language for script injection via XSS; CWE-79 and the 'XSS' tag are the authoritative classification here. The CPE string provided (cpe:2.3:a:n/a:n/a:*) is a placeholder and carries no useful product-identification information; affected product scope is derived from the description alone.

RemediationAI

No vendor-released patch has been identified at time of analysis. Administrators should monitor http://pbootcms.com and the project's official repository for a patched release. As a compensating control, restrict access to the site configuration functionality to the minimum number of trusted administrator accounts, since exploitation requires PR:H (high-privileged) access - reducing the admin population directly reduces attack surface. Implement Content Security Policy (CSP) headers to limit the impact of any injected scripts; however, CSP may interfere with legitimate CMS JavaScript functionality and should be tested before deployment. Additionally, audit current site configuration fields for unexpected or anomalous script tags, particularly if multiple administrators share the system. The GitHub POC at https://github.com/TazmiDev/CVE-2026-36239 can be used to test whether a given deployment is vulnerable after compensating controls are applied.

More in N A

View all
CVE-2026-31072 CRITICAL POC
9.8 May 19

Remote code execution in APScheduler (all versions through 3.10.x and 4.0.0a5) is achievable when applications deseriali

CVE-2026-36356 CRITICAL POC
9.1 May 05

Unauthenticated remote OS command injection in MeiG Smart FORGE_SLT711 cellular gateway firmware MDM9607.LE.1.0-00110-ST

CVE-2026-31071 CRITICAL POC
9.1 May 19

Unauthenticated API access in LalanaChami Pharmacy Management System (commit 5c3d028) allows remote attackers to dump al

CVE-2025-66391 HIGH POC
8.8 Jun 17

In Citrix Cloud through 2025-11-10, an account with read-only access can trigger the beginning of a workflow for write o

CVE-2026-26740 HIGH POC
8.2 Mar 18

Giflib 5.2.2 contains a buffer overflow in the EGifGCBToExtension function that fails to validate allocated memory when

CVE-2025-60464 HIGH POC
7.8 Jun 25

Denial of service in GPAC's MP4Box multimedia tool (versions before 26.02.0) arises from a use-after-free in the gf_sei_

CVE-2026-36355 HIGH POC
7.7 May 05

Arbitrary kernel memory read/write in Realtek rtl819x Jungle SDK Wi-Fi driver allows local unprivileged attackers to acc

CVE-2025-60474 HIGH POC
7.5 Jun 24

Denial of service in GPAC's MP4Box/libgpac media importer (versions before 26.02.0) lets an attacker crash the tool by s

CVE-2026-38639 HIGH POC
7.5 Jun 26

An issue in the parse_month function (/time/strptime.rs) of relibc commit ab6a2e allows attackers to cause a Denial of S

CVE-2026-38641 HIGH POC
7.5 Jun 26

Denial of service in relibc (the Redox OS C standard library) at commit 61f42d allows attackers to crash a process by ge

CVE-2026-38637 HIGH POC
7.5 Jun 25

An issue in the pthread_rwlockattr_setpshared() function of relibc commit 61f42d allows attackers to cause a Denial of S

CVE-2026-38640 HIGH POC
7.5 Jun 25

Denial of service in relibc (the Redox OS C standard library implementation, commit 61f42d) lets attackers crash a proce

Share

CVE-2026-36239 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy