Severity by source
AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:H/A:L
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:H/A:L
Lifecycle Timeline
1DescriptionCVE.org
Attackers carefully craft malicious scripts, such as JavaScript, and inject them into target systems; when other users access pages containing such malicious content, the scripts are automatically loaded and executed in the victim's browser.Attackers can thereby steal user cookies, hijack session privileges, and tamper with page content.Since the malicious code is stored within the system, the attack scope is broad and the concealment is strong, making it frequently employed for data theft attacks.
AnalysisAI
Stored cross-site scripting in ZTE ZXUniPOS NDS-LTE enables an authenticated high-privilege attacker to persist malicious JavaScript within the system, which executes automatically in the browsers of other users who access the affected pages. Affected versions include V24.30.40CP02 and V24.40.40 and their respective earlier releases, confirmed via ENISA EUVD-2026-32041 and ZTE's own security bulletin. No public exploit identified at time of analysis, and an EPSS score of 0.03% (9th percentile) reflects a very low automated exploitation probability.
Technical ContextAI
ZTE ZXUniPOS NDS-LTE is a network data system platform for LTE telecommunications environments, identified by CPE cpe:2.3:a:zte:zte_zxunipos_nds-lte:*:*:*:*:*:*:*:*. The root cause is CWE-79 (Improper Neutralization of Input During Web Page Generation - Stored XSS): user-supplied input accepted through the management interface is persisted to a backend store without adequate sanitization or output encoding, and is subsequently rendered directly in the browsers of other authenticated users without escaping. This stored variant is more dangerous than reflected XSS because the payload survives across sessions and does not require the victim to follow a crafted link - any user who loads the affected page triggers the payload automatically.
RemediationAI
Consult ZTE's security bulletin at https://support.zte.com.cn/zte-iccp-isupport-webui/bulletin/detail/2811026568490730190 to obtain the patched release; the exact fixed version number is not specified in the available data and must be confirmed directly with ZTE support - do not assume any specific version number not provided by the vendor. As an immediate compensating control, restrict network access to the ZXUniPOS NDS-LTE management interface to trusted internal networks or VPN-only segments, removing the ability of an external or lateral-moving attacker to authenticate and inject content; note this does not mitigate a compromised insider account. Additionally, audit high-privilege accounts on the platform and enforce multi-factor authentication where supported to raise the cost of credential compromise. If the platform supports HTTP response header configuration, enabling a Content Security Policy (CSP) to restrict script sources may limit payload execution, but effectiveness depends on application-level configurability.
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-32041
GHSA-7rj9-hhpj-ff6p