Severity by source
AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:L
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:L
Lifecycle Timeline
5DescriptionCVE.org
Cross-Site Scripting (XSS) vulnerability exists in HTMLy version 3.1.1 in the content creation functionality at the /add/content?type=image endpoint. The application fails to properly sanitize user input, allowing injection of arbitrary code
AnalysisAI
Stored Cross-Site Scripting in HTMLy 3.1.1 allows authenticated users with content creation privileges to inject malicious JavaScript via the image upload endpoint (/add/content?type=image), executing arbitrary code in victim browsers with scope change (S:C) indicating potential account takeover or session hijacking. Public proof-of-concept exists (YouTube demonstration and GitHub writeup), though EPSS score remains low (2%, 4th percentile) and no active exploitation has been confirmed by CISA KEV. CVSS 8.9 reflects high confidentiality and integrity impact but requires victim interaction.
Technical ContextAI
HTMLy is a flat-file CMS/blog platform written in PHP. This vulnerability affects the content creation module specifically at the image upload functionality. The application implements CWE-79 (Cross-Site Scripting) by failing to apply proper output encoding or input sanitization when processing user-supplied data through the /add/content?type=image endpoint. The CVSS scope change (S:C) indicates the vulnerability can affect resources beyond the vulnerable component's security scope, suggesting the injected script executes in contexts that impact other users or sessions. The attack requires low privileges (PR:L), indicating authenticated access to content creation features, and user interaction (UI:R), meaning a victim must view the malicious content. CPE data is incomplete (cpe:2.3:a:n/a:n/a), but EUVD and references confirm HTMLy version 3.1.1 as affected.
RemediationAI
Upgrade to a patched version of HTMLy if available from the official GitHub repository (https://github.com/danpros/htmly). At time of analysis, no vendor security advisory or specific patch version has been identified in the provided data. Users should monitor the HTMLy GitHub repository for security updates addressing CVE-2026-38949. As interim mitigation, restrict content creation privileges (the /add/content endpoint) to only fully trusted administrators, effectively eliminating the attack vector in environments where untrusted users do not require content creation access - this reduces exploitability but prevents legitimate multi-author use cases. Alternatively, implement Web Application Firewall (WAF) rules to sanitize inputs at the /add/content?type=image endpoint, though this adds infrastructure complexity and may have compatibility impacts with legitimate image uploads. Deploy Content Security Policy (CSP) headers with strict script-src directives to prevent inline script execution, which mitigates XSS impact but may break existing HTMLy features that rely on inline JavaScript. Review the POC methodology at https://github.com/Chittu13/cve-research/blob/main/CVE-2026-38949/README.md to understand specific payload patterns for detection rules.
Remote code execution in APScheduler (all versions through 3.10.x and 4.0.0a5) is achievable when applications deseriali
Unauthenticated remote OS command injection in MeiG Smart FORGE_SLT711 cellular gateway firmware MDM9607.LE.1.0-00110-ST
Unauthenticated API access in LalanaChami Pharmacy Management System (commit 5c3d028) allows remote attackers to dump al
In Citrix Cloud through 2025-11-10, an account with read-only access can trigger the beginning of a workflow for write o
Giflib 5.2.2 contains a buffer overflow in the EGifGCBToExtension function that fails to validate allocated memory when
Denial of service in GPAC's MP4Box multimedia tool (versions before 26.02.0) arises from a use-after-free in the gf_sei_
Arbitrary kernel memory read/write in Realtek rtl819x Jungle SDK Wi-Fi driver allows local unprivileged attackers to acc
Denial of service in GPAC's MP4Box/libgpac media importer (versions before 26.02.0) lets an attacker crash the tool by s
An issue in the parse_month function (/time/strptime.rs) of relibc commit ab6a2e allows attackers to cause a Denial of S
Denial of service in relibc (the Redox OS C standard library) at commit 61f42d allows attackers to crash a process by ge
An issue in the pthread_rwlockattr_setpshared() function of relibc commit 61f42d allows attackers to cause a Denial of S
Denial of service in relibc (the Redox OS C standard library implementation, commit 61f42d) lets attackers crash a proce
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-26069