Skip to main content

YAFNET CVE-2026-43939

HIGH
Cross-site Scripting (XSS) (CWE-79)
2026-05-05 https://github.com/YAFNET/YAFNET GHSA-8rq5-wwpp-fmj2
7.3
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
7.3 HIGH
AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
None

Lifecycle Timeline

2
Source Code Evidence Fetched
May 05, 2026 - 21:30 vuln.today
Analysis Generated
May 05, 2026 - 21:30 vuln.today

DescriptionGitHub Advisory

Description: Stored Cross-Site Scripting (XSS) occurs when user-supplied input is persisted by the application and later rendered in another user's browser without proper sanitization or contextual output encoding. When the vulnerable sink is a high-traffic surface such as a public forum thread, the payload executes in the browser of every user who visits the page, maximizing both reach and impact. Any JavaScript injected through such a sink runs under the application's origin and inherits the privileges of whichever user happens to view the affected content.

Issue Details: The thread posting and reply feature accepts user-supplied content that is stored server-side and later rendered back into the thread page without adequate HTML sanitization or contextual output encoding. Submitting a post or reply containing "><img src=x onerror=prompt(0)> causes the payload to break out of the surrounding HTML context and inject a fully attacker-controlled <img> element whose onerror handler fires automatically as soon as the broken image reference fails to load. Because posts and replies are visible to every user who visits the thread, authenticated or otherwise, the injected JavaScript executes in each viewer's browser the moment the page renders, with no additional interaction required.

Impact: An attacker with a standard forum account can execute arbitrary JavaScript in the browser of every user who loads the affected thread, including moderators and administrators. This enables session/auth-cookie theft, account takeover through same-origin state-changing requests, forced privileged actions if an administrator views the thread, credential phishing via injected login overlays, forum defacement, cryptominer or malware delivery, and mass redirection of viewers to attacker-controlled sites. Because the payload triggers automatically on page load rather than requiring hover or click interaction, a single malicious post can compromise a large number of users very quickly.

Likelihood: Exploitation requires only a registered account with permission to post or reply, which is available to every forum member by default. Once posted, the payload fires automatically for any visitor who opens the thread, requiring zero victim interaction and making the overall likelihood high.

Steps to Reproduce:

  • Log in to the forum as any low-privileged user (Attacker).
  • Navigate to any thread where posting or replying is allowed, or create a new thread.
  • In the post/reply body, submit the payload: "><img src=x onerror=prompt(0)>
  • Publish the post or reply.
  • Log in as a different user (e.g., Admin) or visit the thread in a separate browser session.
  • Open the thread page, the injected <img> fails to load and the onerror handler fires, producing a prompt(0) dialog and confirming arbitrary JavaScript execution in the viewer's session context.

<img width="1127" height="745" alt="image" src="https://github.com/user-attachments/assets/b93442ea-1d8e-4079-ab4f-e52d41d110f3" />

AnalysisAI

Stored Cross-Site Scripting in YAFNET forum software allows authenticated attackers to inject arbitrary JavaScript into thread posts and replies that automatically executes in the browser of every user who views the affected thread. Affects YAFNET.Core versions ≤3.2.11 and 4.0.0-beta01 through 4.0.4. The payload triggers on page load without victim interaction, enabling session hijacking, credential theft, and account takeover of all viewers including administrators. Vendor-released patches are available (v3.2.12 and v4.0.5). No active exploitation confirmed by CISA KEV, though the attack requires only a standard forum account and proof-of-concept payload is documented in the GitHub advisory.

Technical ContextAI

YAFNET is an open-source ASP.NET forum platform distributed as the YAFNET.Core NuGet package. This vulnerability stems from CWE-79 (Improper Neutralization of Input During Web Page Generation) in the forum's thread posting and reply mechanism. User-supplied content submitted through post/reply forms is persisted to the server-side database and subsequently rendered into thread view pages without adequate HTML sanitization or contextual output encoding. The application fails to apply defense-in-depth encoding when inserting stored user content into HTML contexts, allowing attackers to break out of the intended context using simple HTML injection vectors such as attribute-breaking double-quote sequences followed by event-handler-equipped elements. The documented payload "><img src=x onerror=prompt(0)> leverages automatic event firing (onerror on image load failure) rather than requiring hover or click interaction, which is characteristic of high-impact stored XSS in content management systems. CPE identifiers point to pkg:nuget/yafnet.core as the affected package namespace.

RemediationAI

Upgrade YAFNET.Core to a patched version immediately: version 3.2.12 for the 3.x branch (https://github.com/YAFNET/YAFNET/releases/tag/v3.2.12) or version 4.0.5 for the 4.x branch (https://github.com/YAFNET/YAFNET/releases/tag/v4.0.5). Both releases are confirmed fixes per the GitHub advisory at https://github.com/YAFNET/YAFNET/security/advisories/GHSA-8rq5-wwpp-fmj2. If immediate patching is not feasible, implement compensating controls: restrict forum posting privileges to a vetted whitelist of trusted users via role-based access controls, which trades forum openness for security by blocking untrusted actors from creating malicious posts. Deploy a web application firewall (WAF) with rules to detect and block common XSS payloads in POST request bodies targeting thread/reply endpoints; note this is bypassable via obfuscation and provides defense-in-depth rather than a complete fix. Audit existing thread content for suspicious HTML/JavaScript patterns and quarantine or delete malicious posts; this is labor-intensive and does not prevent future exploitation. Enable Content Security Policy (CSP) headers with 'unsafe-inline' removed from script-src directives to block inline event handlers, though this may break legitimate forum functionality if the application relies on inline scripts. The only robust long-term solution is applying the vendor patch, as workarounds either significantly degrade forum usability or provide incomplete protection against a well-documented attack vector.

Share

CVE-2026-43939 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy