Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Network-delivered reflected XSS requires victim interaction (UI:R), crosses scope boundary into victim browser (S:C), with low C/I impact; no availability impact.
Primary rating from Vendor (CERT-PL).
CVSS VectorVendor: CERT-PL
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
1DescriptionCVE.org
UBB.threads is vulnerable to Reflected XSS. The application improperly handles user input in certain requests, enabling attackers to execute arbitrary JavaScript in the context of a victim's browser by tricking them into clicking a crafted link. Because vendor contact attempts were unsuccessful, the vulnerability has only been confirmed in version 7.7.5 but may also affect other versions.
AnalysisAI
Reflected XSS in UBB.threads 7.7.5 enables remote attackers to execute arbitrary JavaScript in a victim's browser by tricking them into clicking a crafted URL containing malicious input. The vulnerability stems from improper handling of user-supplied data in HTTP requests, with impact scoped to the victim's browser session rather than the server itself. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | The victim must click a crafted link delivered by the attacker - exploitation cannot occur passively without user interaction (UI:A in the CVSS 4.0 vector). … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 4.0 base score of 5.1 is consistent with a medium-severity reflected XSS requiring active victim participation (UI:A), which significantly reduces mass-exploitation potential compared to stored or DOM-based variants. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker identifies a URL parameter in UBB.threads that is reflected unsanitized into the HTML response, constructs a crafted link embedding a JavaScript payload (e.g., a cookie-stealing script), and distributes it to forum users via private message, email, or an external site. When a logged-in victim clicks the link, their browser executes the injected script in the context of the UBB.threads origin, potentially exfiltrating session cookies or performing actions on their behalf. … |
| Remediation | No vendor-released patch has been identified at time of analysis; vendor contact attempts by CERT-PL were unsuccessful, and no advisory was published at https://www.ubbcentral.com/. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
More in Ubb Threads
View allCross-site scripting (XSS) vulnerability in forums/ubbthreads.php in UBB.threads 7.5.6 and earlier allows remote attacke
Remote code execution in UBB.threads forum software (version 7.7.5 confirmed) is achievable by authenticated users holdi
Authenticated blind SQL injection in UBB.threads forum software version 7.7.5 (and likely other versions) allows adminis
Cross-site request forgery in UBB.threads forum software version 7.7.5 (and potentially earlier versions) allows remote
Database-resource exhaustion in UBB.threads forum software (confirmed in version 7.7.5) allows an authenticated low-priv
Stored XSS in UBB.threads 7.7.5 permits low-privileged forum members to permanently inject arbitrary JavaScript into pos
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-37884
GHSA-9c46-2jjw-rj67