Is there a public PoC exploit available for CVE-2026-5249?

Yes, a public proof-of-concept exploit is available for CVE-2026-5249. Prioritise patching immediately. EPSS: 0.0%.

Gougucms CVE-2026-5249

Q: What is the CVSS score of CVE-2026-5249?

CVE-2026-5249 has a CVSS 4.0 base score of 2.0 (Low). CVSS vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X. EPSS exploitation probability: 0.0%.

EUVD-2026-17769 LOW

Cross-site Scripting (XSS) (CWE-79)

2026-04-01 VulDB

XSS Gougucms

2.0

CVSS 4.0 · NVD

Severity by source

NVD PRIMARY

2.0 LOW

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

Scope

Lifecycle Timeline

Severity Changed

Apr 29, 2026 - 01:11 NVD

MEDIUM LOW

CVSS changed

Apr 29, 2026 - 01:11 NVD

5.1 (MEDIUM) 2.0 (LOW)

PoC Detected

Apr 01, 2026 - 14:23 vuln.today

Public exploit code

EUVD ID Assigned

Apr 01, 2026 - 01:45 euvd

EUVD-2026-17769

Analysis Generated

Apr 01, 2026 - 01:45 vuln.today

CVE Published

Apr 01, 2026 - 01:30 nvd

MEDIUM 5.1

DescriptionCVE.org

A vulnerability was found in gougucms 4.08.18. This impacts an unknown function of the file \gougucms-master\app\admin\view\user\record.html of the component Record Endpoint. Performing a manipulation of the argument value.content results in cross site scripting. It is possible to initiate the attack remotely. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way.

AnalysisAI

Stored cross-site scripting (XSS) in GouguCMS 4.08.18 allows authenticated remote attackers to inject malicious scripts via the value.content parameter in the Record Endpoint (\gougucms-master\app\admin\view\user\record.html), which are executed in the context of other users' browsers. The vulnerability has a publicly available exploit and affects user record management functionality with low CVSS score (3.5) due to requirement for user interaction and authenticated access, though the vendor has not responded to disclosure.

Unlock full vulnerability intelligence

Risk assessment & exploitation conditions
Attack chain visualization
Remediation with exact patch versions
Threat intelligence from 22 sources
Personal watchlist & email alerts

Continue with Google Continue with GitHub

Free forever · No credit card required

Vulnerability AssessmentAI

Risk Assessment	While the CVSS score of 3.5 is low, the real-world risk assessment reveals important nuances. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario	An authenticated administrative user with access to the GouguCMS user record management interface could inject a malicious JavaScript payload into the value.content field of a user record. When another administrator views that record, the stored XSS payload executes in their browser context, allowing the attacker to steal session cookies, perform unauthorized administrative actions (such as creating new admin accounts), or redirect the administrator to a phishing page. …
Remediation	Immediate remediation requires upgrading GouguCMS to a patched version if available from the vendor; however, no vendor-released patch has been independently confirmed at time of analysis, and the vendor has not responded to disclosure attempts. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2026-5249 vulnerability details – vuln.today

Back