Skip to main content

NukeViet CMS CVE-2026-48118

HIGH
Cross-site Scripting (XSS) (CWE-79)
2026-07-13 https://github.com/nukeviet/nukeviet GHSA-mxpf-qgg6-v3ff
8.2
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
8.2 HIGH
AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N
vuln.today AI
8.2 HIGH

Remote crafted URL (AV:N), token readable from public HTML (AC:L, PR:N), victim must click the link (UI:R), JS crosses into the browser security context (S:C), demonstrated credential capture (C:H) with limited DOM/authenticated-request integrity impact (I:L) and no availability effect.

3.1 AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N
4.0 AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N

Primary rating from GitHub Advisory.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
High
Integrity
Low
Availability
None

Lifecycle Timeline

3
Source Code Evidence Fetched
Jul 13, 2026 - 19:22 vuln.today
Analysis Generated
Jul 13, 2026 - 19:22 vuln.today
CVE Published
Jul 13, 2026 - 17:21 github-advisory
HIGH 8.2

DescriptionGitHub Advisory

Summary

Reflected XSS in the Comment module via the status_comment URL parameter. The parameter accepts attacker-controlled base64-encoded HTML/JavaScript that is decoded server-side and rendered unescaped into the page. Compounded by a second flaw: the checkss anti-forgery token was derived from a site-wide static value (NV_CACHE_PREFIX) instead of a per-session value, making the token reusable across all users and allowing the attack to be delivered via a simple crafted URL.

Details

Vulnerability 1 - Reflected XSS via status_comment

Affected components:

  • modules/comment/funcs/main.php - parameter ingestion
  • modules/comment/comment.php - decode and template assignment
  • themes/*/modules/comment/comment.tpl - raw render

The status_comment GET/POST parameter is sanitised with get_title(), which applies strip_tags(). Because the parameter is intended to carry a base64-encoded string, its character set ([A-Za-z0-9-_,]) passes through strip_tags() unchanged. The value is later decoded with nv_base64_decode() and assigned to the template variable STATUS_COMMENT without any escaping, which the template then renders raw inside a <div>.

The fundamental flaw is ordering: the filter is applied to the encoded form of the data, before decoding, so it is entirely ineffective against whatever the decoded content contains. Any HTML or JavaScript payload, once base64-encoded, survives the filter and executes in the victim's browser.

Vulnerability 2 - Session-independent checkss token

Affected components:

  • modules/comment/comment.php - token validation in comment-load and comment-module functions
  • modules/comment/funcs/post.php - token validation when posting
  • All caller modules that generate a checkss before invoking the comment system (e.g. modules/news, modules/page)

The checkss token required to load the comment block was computed by hashing the resource parameters together with NV_CACHE_PREFIX:

checkss = md5(module + area + id + allowed + NV_CACHE_PREFIX)

NV_CACHE_PREFIX is a static, site-wide constant - identical for every visitor - derived at install time from the site key and server name. The token therefore has the same value for all users viewing the same article and never changes between sessions.

This token is printed into the public HTML of every page that includes a comment block (as a data-checkss attribute on the comment container). Because the token is not session-bound, an attacker can read it from the page source and reuse it in a crafted URL targeting any other user.

The correct pattern, used consistently elsewhere in the codebase (e.g. modules/contact, modules/banners), is to derive the token from NV_CHECK_SESSION:

NV_CHECK_SESSION = md5(NV_CACHE_PREFIX + session_id)

This binds the token to the current session, so a token obtained by the attacker is invalid for any other user's session.

Attack scenario

  1. Attacker opens any article with a comment block and reads the checkss value from the HTML source.
  2. Attacker constructs a payload (e.g. a credential-phishing overlay) and base64-encodes it.
  3. Attacker delivers the following URL to the victim:
   https://<target>/index.php?language=vi&nv=comment&comment_load=1
     &module=news&area=<area>&id=<id>&allowed=<allowed>
     &checkss=<value_from_step_1>
     &status_comment=<base64_payload>
  1. When the victim opens the URL, the decoded payload renders in their browser within the site's origin, with access to cookies, session storage, and the ability to make authenticated requests.

Verified impact: A phishing overlay form was confirmed to transmit captured plaintext credentials to an attacker-controlled server. No authentication is required at any step.

CSP note: NukeViet's Content-Security-Policy includes script-src 'unsafe-inline' and does not restrict navigation, so the policy does not prevent exploitation.

CVSS 3.1

Vector: AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N Base Score: 8.2 (High)

MetricValueRationale
Attack VectorNetworkExploitable remotely via crafted URL
Attack ComplexityLowcheckss readable from public HTML; no special setup required
Privileges RequiredNoneNo authentication needed
User InteractionRequiredVictim must open the crafted URL
ScopeChangedJavaScript executes in victim's browser, crossing the application security boundary
ConfidentialityHighFull plaintext credential capture demonstrated via phishing overlay
IntegrityLowDOM manipulation and authenticated requests possible; no direct backend write access
AvailabilityNoneNo denial-of-service impact

Patches

Both root causes are addressed:

Fix 1 - Bind checkss to user session: Replace NV_CACHE_PREFIX with NV_CHECK_SESSION in all locations that generate or validate the comment checkss token - both inside the comment module itself and in any caller module that constructs the token before invoking the comment system. With a session-bound token, a value obtained by the attacker is invalid for any other user's session, removing the delivery mechanism for this attack.

Fix 2 - Escape decoded output before rendering: Apply nv_htmlspecialchars() to the result of nv_base64_decode($status_comment) before assigning it to the template. This closes the XSS sink as an independent defence-in-depth measure, remaining effective regardless of how the code path is reached.

Fix 1 alone eliminates the exploitability of this specific vector. Fix 2 is a necessary defence-in-depth layer that closes the underlying sink.

CWE

  • CWE-79: Improper Neutralization of Input During Web Page Generation (Cross-site Scripting)
  • CWE-565: Reliance on Cookies without Validation and Integrity Checking (contributing factor - session-independent token)

AnalysisAI

Reflected cross-site scripting in the Comment module of NukeViet CMS (versions before 4.5.09) lets remote unauthenticated attackers execute arbitrary JavaScript in a victim's browser via a crafted URL. The status_comment parameter carries base64-encoded HTML that is decoded server-side and rendered unescaped, while a second flaw makes the checkss anti-forgery token static and site-wide, removing the only barrier to URL-based delivery. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Read static checkss from public page source
Delivery
Base64-encode phishing/JS payload
Exploit
Craft comment_load URL with status_comment
Execution
Deliver link to victim
Persist
Victim opens URL, payload renders unescaped
Impact
Capture credentials or issue authenticated requests

Vulnerability AssessmentAI

Exploitation Exploitation requires the target NukeViet site to expose a comment block (default on content modules such as news/page), from which the attacker reads the static, session-independent checkss token out of the public HTML, and requires the victim to open the attacker-crafted comment_load URL containing the base64-encoded payload in status_comment. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The supplied CVSS 3.1 vector AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N (8.2 High) is internally consistent: remote, no authentication, and low complexity because the required checkss token is readable from public page source, offset only by required user interaction (the victim must open the crafted URL). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker opens any public article, reads the static checkss value from the page's data-checkss attribute, then base64-encodes a credential-phishing overlay and appends it as status_comment on a comment_load URL for that article. The attacker delivers the link (phishing email, chat, forum post) to a victim; when the victim opens it, the overlay renders within the site's origin and can capture credentials or issue authenticated requests. …
Remediation Upgrade to NukeViet 4.6.00, which addresses both root causes (Vendor-released patch: 4.6.00, per advisory GHSA-mxpf-qgg6-v3ff). … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours, inventory all NukeViet CMS deployments and document software versions; immediately restrict or disable public access to the Comment module if business continuity permits. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

More in PHP

View all
CVE-2012-1823 CRITICAL POC
9.8 May 11

sapi/cgi/cgi_main.c in PHP before 5.3.12 and 5.4.x before 5.4.2, when configured as a CGI script (aka php-cgi), does not

CVE-2016-1555 CRITICAL POC
9.8 Apr 21

(1) boardData102.php, (2) boardData103.php, (3) boardDataJP.php, (4) boardDataNA.php, and (5) boardDataWW.php in Netgear

CVE-2024-11680 CRITICAL POC
9.8 Nov 26

ProjectSend versions prior to r1720 are affected by an improper authentication vulnerability. Rated critical severity (C

CVE-2025-49113 CRITICAL POC
9.9 Jun 02

Roundcube Webmail contains a critical PHP object deserialization vulnerability (CVE-2025-49113, CVSS 9.9) that allows au

CVE-2017-9841 CRITICAL POC
9.8 Jun 27

Util/PHP/eval-stdin.php in PHPUnit before 4.8.28 and 5.x before 5.6.3 allows remote attackers to execute arbitrary PHP c

CVE-2025-0108 HIGH POC
8.8 Feb 12

Palo Alto Networks PAN-OS management web interface contains an authentication bypass allowing unauthenticated attackers

CVE-2021-25298 HIGH POC
8.8 Feb 15

Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re

CVE-2021-25296 HIGH POC
8.8 Feb 15

Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re

CVE-2013-4983 CRITICAL POC
10.0 Sep 10

The get_referers function in /opt/ws/bin/sblistpack in Sophos Web Appliance before 3.7.9.1 and 3.8 before 3.8.1.1 allows

CVE-2023-6553 CRITICAL POC
9.8 Dec 15

The Backup Migration plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1

CVE-2024-46506 CRITICAL POC
10.0 May 13

NetAlertX (formerly PiAlert) versions 23.01.14 through 24.x before 24.10.12 allow unauthenticated command injection thro

CVE-2024-8353 CRITICAL POC
9.8 Sep 28

The GiveWP - Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all

Share

CVE-2026-48118 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy