Skip to main content

ui-ux-pro-max-skill CVE-2026-7596

| EUVDEUVD-2026-26720 LOW
Cross-site Scripting (XSS) (CWE-79)
2026-05-01 VulDB
2.1
CVSS 4.0 · NVD

Severity by source

NVD PRIMARY
2.1 LOW
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
P
Scope
X

Lifecycle Timeline

9
PoC Detected
May 02, 2026 - 02:16 vuln.today
Public exploit code
Source Code Evidence Fetched
May 01, 2026 - 21:30 vuln.today
Analysis Generated
May 01, 2026 - 21:30 vuln.today
Severity Changed
May 01, 2026 - 21:22 NVD
MEDIUM LOW
CVSS changed
May 01, 2026 - 21:22 NVD
4.3 (MEDIUM) 2.1 (LOW)
EUVD ID Assigned
May 01, 2026 - 21:16 euvd
EUVD-2026-26720
Analysis Generated
May 01, 2026 - 21:16 vuln.today
Patch released
May 01, 2026 - 21:16 nvd
Patch available
CVE Published
May 01, 2026 - 21:00 nvd
LOW 2.1

DescriptionCVE.org

A vulnerability has been found in nextlevelbuilder ui-ux-pro-max-skill up to 2.5.0. Affected by this issue is the function data.get of the file .claude/skills/design-system/scripts/generate-slide.py of the component Slide Generator. Such manipulation leads to cross site scripting. The attack may be performed from remote. The exploit has been disclosed to the public and may be used. The project was informed of the problem early through a pull request but has not reacted yet.

AnalysisAI

Cross-site scripting (XSS) vulnerability in nextlevelbuilder ui-ux-pro-max-skill up to version 2.5.0 allows remote attackers to inject malicious scripts via unescaped user input in the Slide Generator component's data.get() function. The vulnerability affects slide generation where user-supplied content (titles, subtitles, company names, feature descriptions) is embedded directly into HTML output without sanitization. Publicly available exploit code exists, and the vendor has released a patch via pull request, though the project has not actively responded to security notifications. CVSS score of 2.1 reflects low severity due to required user interaction, but the public availability of exploit code increases practical exploitation risk.

Technical ContextAI

The vulnerability exists in the generate-slide.py script's Slide Generator component, which dynamically constructs HTML slide content using Python f-strings with unescaped user-supplied data from the data dictionary. The root cause is CWE-79 (Improper Neutralization of Input During Web Page Generation), where the application fails to HTML-escape or URL-validate user inputs before embedding them into HTML attributes and content. The patch introduces two utility functions: _e() for HTML entity escaping using Python's html.escape() for text content, and _safe_url() for URL validation that whitelists safe schemes (http://, https://, #, /) and prevents javascript: URI injection. The vulnerability affects all data fields passed to slide generation functions (badge, title, subtitle, company name, pain point titles/descriptions, feature titles/descriptions, CTA buttons, and metadata fields), which are rendered client-side without sanitization.

RemediationAI

Vendor-released patch: Apply the fix from PR #274, which introduces HTML escaping via the _e() utility function and URL validation via the _safe_url() function (https://github.com/nextlevelbuilder/ui-ux-pro-max-skill/pull/274). This patch wraps all user-supplied data with _e() for text content and _safe_url() for href attributes, preventing HTML/JavaScript injection. Update to the next stable release of ui-ux-pro-max-skill that includes this fix once officially tagged by the maintainers. As a temporary compensating control pending patch deployment, restrict access to the Slide Generator component to trusted users only, and validate/sanitize all slide data inputs externally before passing to the script using a server-side HTML sanitization library (e.g., bleach for Python). Do not allow untrusted external users to upload or import slide definitions. Additionally, deploy a Content Security Policy (CSP) header in any web interface that displays generated slides to restrict script execution to trusted sources only, which will limit the impact of injected XSS payloads.

Share

CVE-2026-7596 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy