Severity by source
AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:L/A:L
Primary rating from Vendor (mitre) · only source for this CVE.
CVSS VectorVendor: mitre
CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:L/A:L
Lifecycle Timeline
3DescriptionCVE.org
PbootCMS v.3.2.11 contains a code injection vulnerability in its site configuration functionality
AnalysisAI
Cross-site scripting (XSS) in PbootCMS v.3.2.11 allows a high-privileged authenticated attacker to inject malicious JavaScript into the site configuration functionality, which executes in the browser of any user who subsequently views the affected configuration page. Despite the description using the term 'code injection,' CWE-79 and the XSS tag confirm this is a stored or reflected XSS class vulnerability, not arbitrary server-side code execution. A GitHub-hosted proof-of-concept exists (TazmiDev/CVE-2026-36239), and no public patch has been identified at time of analysis; no active exploitation has been confirmed by CISA KEV.
Technical ContextAI
PbootCMS is a PHP-based open-source CMS. CWE-79 (Improper Neutralization of Input During Web Page Generation) indicates the application fails to sanitize or encode user-supplied input before rendering it in a browser context, specifically within the site configuration panel. The CVSS vector (AV:N/AC:L/PR:H/UI:R/S:U) confirms network-delivered exploitation requiring high privileges and victim user interaction - consistent with stored XSS where an admin plants a payload that fires when another user loads the configuration view. Notably, the description uses the phrase 'code injection,' which may be imprecise vendor/reporter language for script injection via XSS; CWE-79 and the 'XSS' tag are the authoritative classification here. The CPE string provided (cpe:2.3:a:n/a:n/a:*) is a placeholder and carries no useful product-identification information; affected product scope is derived from the description alone.
RemediationAI
No vendor-released patch has been identified at time of analysis. Administrators should monitor http://pbootcms.com and the project's official repository for a patched release. As a compensating control, restrict access to the site configuration functionality to the minimum number of trusted administrator accounts, since exploitation requires PR:H (high-privileged) access - reducing the admin population directly reduces attack surface. Implement Content Security Policy (CSP) headers to limit the impact of any injected scripts; however, CSP may interfere with legitimate CMS JavaScript functionality and should be tested before deployment. Additionally, audit current site configuration fields for unexpected or anomalous script tags, particularly if multiple administrators share the system. The GitHub POC at https://github.com/TazmiDev/CVE-2026-36239 can be used to test whether a given deployment is vulnerable after compensating controls are applied.
Remote code execution in APScheduler (all versions through 3.10.x and 4.0.0a5) is achievable when applications deseriali
Unauthenticated remote OS command injection in MeiG Smart FORGE_SLT711 cellular gateway firmware MDM9607.LE.1.0-00110-ST
Unauthenticated API access in LalanaChami Pharmacy Management System (commit 5c3d028) allows remote attackers to dump al
In Citrix Cloud through 2025-11-10, an account with read-only access can trigger the beginning of a workflow for write o
Giflib 5.2.2 contains a buffer overflow in the EGifGCBToExtension function that fails to validate allocated memory when
Denial of service in GPAC's MP4Box multimedia tool (versions before 26.02.0) arises from a use-after-free in the gf_sei_
Arbitrary kernel memory read/write in Realtek rtl819x Jungle SDK Wi-Fi driver allows local unprivileged attackers to acc
Denial of service in GPAC's MP4Box/libgpac media importer (versions before 26.02.0) lets an attacker crash the tool by s
An issue in the parse_month function (/time/strptime.rs) of relibc commit ab6a2e allows attackers to cause a Denial of S
Denial of service in relibc (the Redox OS C standard library) at commit 61f42d allows attackers to crash a process by ge
An issue in the pthread_rwlockattr_setpshared() function of relibc commit 61f42d allows attackers to cause a Denial of S
Denial of service in relibc (the Redox OS C standard library implementation, commit 61f42d) lets attackers crash a proce
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today