Skip to main content

ZTE ZXUniPOS NDS-LTE CVE-2026-48999

| EUVDEUVD-2026-32041 MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2026-05-27 zte GHSA-7rj9-hhpj-ff6p
5.7
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.7 MEDIUM
AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:H/A:L

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:H/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
Required
Scope
Unchanged
Confidentiality
Low
Integrity
High
Availability
Low

Lifecycle Timeline

1
Analysis Generated
May 27, 2026 - 21:24 vuln.today

DescriptionCVE.org

Attackers carefully craft malicious scripts, such as JavaScript, and inject them into target systems; when other users access pages containing such malicious content, the scripts are automatically loaded and executed in the victim's browser.Attackers can thereby steal user cookies, hijack session privileges, and tamper with page content.Since the malicious code is stored within the system, the attack scope is broad and the concealment is strong, making it frequently employed for data theft attacks.

AnalysisAI

Stored cross-site scripting in ZTE ZXUniPOS NDS-LTE enables an authenticated high-privilege attacker to persist malicious JavaScript within the system, which executes automatically in the browsers of other users who access the affected pages. Affected versions include V24.30.40CP02 and V24.40.40 and their respective earlier releases, confirmed via ENISA EUVD-2026-32041 and ZTE's own security bulletin. No public exploit identified at time of analysis, and an EPSS score of 0.03% (9th percentile) reflects a very low automated exploitation probability.

Technical ContextAI

ZTE ZXUniPOS NDS-LTE is a network data system platform for LTE telecommunications environments, identified by CPE cpe:2.3:a:zte:zte_zxunipos_nds-lte:*:*:*:*:*:*:*:*. The root cause is CWE-79 (Improper Neutralization of Input During Web Page Generation - Stored XSS): user-supplied input accepted through the management interface is persisted to a backend store without adequate sanitization or output encoding, and is subsequently rendered directly in the browsers of other authenticated users without escaping. This stored variant is more dangerous than reflected XSS because the payload survives across sessions and does not require the victim to follow a crafted link - any user who loads the affected page triggers the payload automatically.

RemediationAI

Consult ZTE's security bulletin at https://support.zte.com.cn/zte-iccp-isupport-webui/bulletin/detail/2811026568490730190 to obtain the patched release; the exact fixed version number is not specified in the available data and must be confirmed directly with ZTE support - do not assume any specific version number not provided by the vendor. As an immediate compensating control, restrict network access to the ZXUniPOS NDS-LTE management interface to trusted internal networks or VPN-only segments, removing the ability of an external or lateral-moving attacker to authenticate and inject content; note this does not mitigate a compromised insider account. Additionally, audit high-privilege accounts on the platform and enforce multi-factor authentication where supported to raise the cost of credential compromise. If the platform supports HTTP response header configuration, enabling a Content Security Policy (CSP) to restrict script sources may limit payload execution, but effectiveness depends on application-level configurability.

Share

CVE-2026-48999 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy