Skip to main content

Remark42 CVE-2026-48788

| EUVDEUVD-2026-37511 HIGH
Cross-site Scripting (XSS) (CWE-79)
2026-06-16 GitHub_M GHSA-4c8j-mgm4-qqvp
8.2
CVSS 3.0 · Vendor: GitHub_M
Share

Severity by source

Vendor (GitHub_M) PRIMARY
8.2 HIGH
AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N
vuln.today AI
8.2 HIGH

Network-reachable proxy endpoint, no auth needed (PR:N), one victim click (UI:R); JS executes in Remark42 origin so scope changes and confidentiality is high, with limited integrity and no availability impact.

3.1 AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N
4.0 AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:L/VA:N/SC:L/SI:L/SA:N

Primary rating from Vendor (GitHub_M).

CVSS VectorVendor: GitHub_M

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
High
Integrity
Low
Availability
None

Lifecycle Timeline

3
Patch available
Jun 26, 2026 - 21:02 EUVD
Source Code Evidence Fetched
Jun 17, 2026 - 00:11 vuln.today
Analysis Generated
Jun 17, 2026 - 00:11 vuln.today

DescriptionCVE.org

Remark42 is a self-hosted comment engine for blogs, articles, or any other place where readers can add comments. Versions 1.6.0 through 1.15.0 contain a Cross-Site Scripting (XSS) vulnerability exploitable through content-type spoofing. The Remark42 image proxy fetches an arbitrary remote URL and re-serves the response from Remark42's own origin. During the download phase, the proxy determines whether the resource is an image by inspecting only the Content-Type header advertised by the remote server, never examining the actual bytes; during the serving phase, it instead derives the response Content-Type by sniffing those bytes with http.DetectContentType. An attacker can exploit this inconsistency by hosting a URL that advertises Content-Type: image/png while returning an HTML/JavaScript body: the download check accepts it as an image, the serving path sniffs the body and emits Content-Type: text/html, and the browser renders the attacker-controlled HTML/JavaScript as a document within Remark42's origin. Exploitation requires no Remark42 account on the target instance; the attacker only needs to host the malicious upstream URL and deliver the proxy link to a victim by any means, such as email, direct message, or a link on another website. This issue has been fixed in version 1.16.0.

AnalysisAI

Stored/reflected XSS in Remark42 self-hosted comment engine versions 1.6.0 through 1.15.0 allows unauthenticated remote attackers to execute arbitrary JavaScript in the context of a Remark42 origin by abusing a Content-Type inconsistency in the image proxy. The proxy trusts the upstream Content-Type header during the download check but re-sniffs bytes when serving, letting an HTML/JS payload advertised as image/png be re-served as text/html from the victim instance's own origin. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Host upstream URL with image/png header and HTML body
Delivery
Deliver proxy link to logged-in victim
Exploit
Victim browser fetches Remark42 image proxy endpoint
Execution
Proxy re-serves bytes sniffed as text/html on Remark42 origin
Persist
Browser executes attacker JavaScript in Remark42 context
Impact
Steal session tokens and impersonate user in comments

Vulnerability AssessmentAI

Exploitation Requires the target Remark42 instance to be running a vulnerable version (1.6.0-1.15.0) with the image proxy feature enabled - this is the specific feature whose Content-Type handling is inconsistent. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment CVSS 3.0 vector AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N scores 8.2 (High) and accurately reflects an internet-reachable, no-auth, scope-changing XSS that requires a single user click on a crafted proxy link. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker hosts attacker.example/payload.png on their own web server, configured to advertise Content-Type: image/png while actually returning an HTML body containing a JavaScript payload that exfiltrates the victim's Remark42 session cookie or posts comments on their behalf. The attacker then sends or embeds a link of the form https://victim-blog.example/api/v1/proxy?src=<encoded attacker URL> (delivered via email, DM, or a third-party site), and any logged-in Remark42 reader who clicks it executes the JavaScript inside the blog's Remark42 origin. …
Remediation Vendor-released patch: upgrade to Remark42 v1.16.0 or later, which adds X-Content-Type-Options: nosniff and Referrer-Policy: strict-origin-when-cross-origin response headers via the securityHeadersMiddleware (commit 78d6de6bce1e961f023969da3ec8a00dd80c9ae8); see https://github.com/umputun/remark42/releases/tag/v1.16.0 and the advisory at https://github.com/umputun/remark42/security/advisories/GHSA-4c8j-mgm4-qqvp. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

24 hours: Inventory all Remark42 deployments and identify instances running versions 1.6.0-1.15.0; alert administrators. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-48788 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy