Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
2DescriptionCVE.org
Taiko AG1000-01A SMS Alert Gateway Rev 7.3 and Rev 8 contains a stored cross-site scripting vulnerability in the embedded web configuration interface that allows authenticated attackers to execute persistent JavaScript by fragmenting malicious payloads across multiple administrative form fields. Attackers can bypass front-end length restrictions using JavaScript comments and template literals to concatenate executable script fragments that are rendered in administrative dashboard views such as index.zhtml, resulting in persistent script execution within administrative sessions.
AnalysisAI
Stored cross-site scripting in the Taiko AG1000-01A SMS Alert Gateway (Rev 7.3 and Rev 8) lets authenticated low-privilege users plant persistent JavaScript in the device's web configuration interface by splitting payloads across multiple admin form fields. The injected script executes in any administrator session that views dashboard pages such as index.zhtml, enabling session hijack or privilege escalation within the appliance. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.
Technical ContextAI
The AG1000-01A is a Taiko Network Communications SMS alert gateway appliance (CPE cpe:2.3:a:taiko_network_communications_pte_ltd.:ag1000-01a_sms_alert_gateway) that exposes an embedded HTTP-based configuration interface rendering .zhtml pages. The root cause is CWE-79 - Improper Neutralization of Input During Web Page Generation - where administrative form fields persist user-controlled data into pages later rendered to other admins without adequate output encoding. The novel aspect is a length-bypass technique: attackers split a malicious script across several short fields and stitch the fragments together at render time using JavaScript comments and template literals, defeating per-field length validators that operate only on the client side.
RemediationAI
No vendor-released patch identified at time of analysis - neither VulnCheck nor the researcher disclosure cites a fixed firmware build for Rev 7.3 or Rev 8. Until Taiko publishes a fix, restrict the AG1000-01A web configuration interface to a dedicated management VLAN or jump host so PR:L attackers cannot reach it from general networks (trade-off: legitimate remote admin workflows must move through the bastion). Limit administrative accounts to the smallest necessary set and rotate credentials for any low-privileged operator accounts that can submit form data, since those accounts are the staging vector. Consider deploying a reverse proxy or WAF in front of the interface to strip <script> fragments, template-literal back-ticks, and JavaScript comment sequences (/*, */, //) from POST bodies destined for index.zhtml and related admin pages, accepting that aggressive filtering may break legitimate configuration values that contain those characters. Monitor the VulnCheck advisory URL above for a firmware revision and apply it as soon as Taiko releases one.
More in Ag1000 01A Sms Alert Gateway
View allAuthentication bypass in Taiko AG1000-01A SMS Alert Gateway (Rev 7.3 and Rev 8) lets remote attackers reach the embedded
Authentication bypass in the Taiko AG1000-01A SMS Alert Gateway (Rev 7.3 and Rev 8) allows unauthenticated remote attack
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-31191
GHSA-mqc5-86vp-hmff