Skip to main content

UBB.threads CVE-2026-54221

| EUVDEUVD-2026-37884 MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2026-06-18 CERT-PL GHSA-9c46-2jjw-rj67
5.1
CVSS 4.0 · Vendor: CERT-PL
Share

Severity by source

Vendor (CERT-PL) PRIMARY
5.1 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
6.1 MEDIUM

Network-delivered reflected XSS requires victim interaction (UI:R), crosses scope boundary into victim browser (S:C), with low C/I impact; no availability impact.

3.1 AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
4.0 AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N

Primary rating from Vendor (CERT-PL).

CVSS VectorVendor: CERT-PL

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
A
Scope
X

Lifecycle Timeline

1
Analysis Generated
Jun 18, 2026 - 13:34 vuln.today

DescriptionCVE.org

UBB.threads is vulnerable to Reflected XSS. The application improperly handles user input in certain requests, enabling attackers to execute arbitrary JavaScript in the context of a victim's browser by tricking them into clicking a crafted link. Because vendor contact attempts were unsuccessful, the vulnerability has only been confirmed in version 7.7.5 but may also affect other versions.

AnalysisAI

Reflected XSS in UBB.threads 7.7.5 enables remote attackers to execute arbitrary JavaScript in a victim's browser by tricking them into clicking a crafted URL containing malicious input. The vulnerability stems from improper handling of user-supplied data in HTTP requests, with impact scoped to the victim's browser session rather than the server itself. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Recon
Identify vulnerable UBB.threads parameter
Delivery
Craft malicious reflected XSS URL
Exploit
Deliver link to target victim
Install
Victim clicks link, browser sends tainted request
C2
Server reflects payload unsanitized
Execute
JavaScript executes in victim's browser context
Impact
Exfiltrate session token or perform authenticated actions

Vulnerability AssessmentAI

Exploitation The victim must click a crafted link delivered by the attacker - exploitation cannot occur passively without user interaction (UI:A in the CVSS 4.0 vector). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 4.0 base score of 5.1 is consistent with a medium-severity reflected XSS requiring active victim participation (UI:A), which significantly reduces mass-exploitation potential compared to stored or DOM-based variants. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker identifies a URL parameter in UBB.threads that is reflected unsanitized into the HTML response, constructs a crafted link embedding a JavaScript payload (e.g., a cookie-stealing script), and distributes it to forum users via private message, email, or an external site. When a logged-in victim clicks the link, their browser executes the injected script in the context of the UBB.threads origin, potentially exfiltrating session cookies or performing actions on their behalf. …
Remediation No vendor-released patch has been identified at time of analysis; vendor contact attempts by CERT-PL were unsuccessful, and no advisory was published at https://www.ubbcentral.com/. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-54221 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy