Skip to main content

wCMS CVE-2026-38669

| EUVDEUVD-2026-27001 MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2026-05-04 mitre
6.1
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
6.1 MEDIUM
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

4
Analysis Generated
May 04, 2026 - 20:22 vuln.today
CVSS changed
May 04, 2026 - 20:22 NVD
6.1 (MEDIUM)
EUVD ID Assigned
May 04, 2026 - 16:30 euvd
EUVD-2026-27001
CVE Published
May 04, 2026 - 00:00 nvd
N/A

DescriptionCVE.org

wCMS v.1.4 is vulnerable to Cross Site Scripting (XSS) when creating a new blog.

AnalysisAI

Stored cross-site scripting (XSS) in wCMS v.1.4 allows remote attackers to inject malicious scripts when creating new blog entries, which are executed in the browsers of other users who view the affected blog. The vulnerability requires user interaction (victim visiting the compromised blog) and affects site confidentiality and integrity. No public exploit code or active exploitation has been confirmed at the time of analysis.

Technical ContextAI

The vulnerability is a stored XSS flaw (CWE-79) in the blog creation functionality of wCMS v.1.4. The application fails to properly sanitize or encode user-supplied input when processing new blog post creation, allowing an attacker to embed arbitrary JavaScript code that persists in the application's database and executes when other users access the affected blog content. This is distinct from reflected XSS because the malicious payload is permanently stored rather than transmitted via request parameters.

RemediationAI

Upgrade to a patched version of wCMS newer than v.1.4 if available from the vendor. Immediate compensating controls include implementing Content Security Policy (CSP) headers to restrict inline script execution and disallow unsafe-inline, which will prevent stored XSS payloads from executing even if present in the DOM-note this requires adjusting any legitimate inline scripts the application relies on. Additionally, apply strict input validation and HTML entity encoding on all blog post submission fields server-side before storage, and implement output encoding when rendering blog content to users. If patched versions are unavailable, consider deploying a Web Application Firewall (WAF) with XSS detection rules to block requests containing script tags or event handlers in blog creation parameters. Consult the vendor or GitHub reference (https://github.com/thv930/yumeng_wu/tree/main/1/readme.md) for the latest security guidance.

Share

CVE-2026-38669 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy