Skip to main content

Taiko AG1000-01A CVE-2026-9144

| EUVDEUVD-2026-31191 HIGH
Cross-site Scripting (XSS) (CWE-79)
2026-05-20 VulnCheck GHSA-mqc5-86vp-hmff
8.4
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
8.4 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
A
Scope
X

Lifecycle Timeline

2
Analysis Generated
May 20, 2026 - 20:31 vuln.today
CVSS changed
May 20, 2026 - 20:22 NVD
7.6 (HIGH) 8.4 (HIGH)

DescriptionCVE.org

Taiko AG1000-01A SMS Alert Gateway Rev 7.3 and Rev 8 contains a stored cross-site scripting vulnerability in the embedded web configuration interface that allows authenticated attackers to execute persistent JavaScript by fragmenting malicious payloads across multiple administrative form fields. Attackers can bypass front-end length restrictions using JavaScript comments and template literals to concatenate executable script fragments that are rendered in administrative dashboard views such as index.zhtml, resulting in persistent script execution within administrative sessions.

AnalysisAI

Stored cross-site scripting in the Taiko AG1000-01A SMS Alert Gateway (Rev 7.3 and Rev 8) lets authenticated low-privilege users plant persistent JavaScript in the device's web configuration interface by splitting payloads across multiple admin form fields. The injected script executes in any administrator session that views dashboard pages such as index.zhtml, enabling session hijack or privilege escalation within the appliance. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.

Technical ContextAI

The AG1000-01A is a Taiko Network Communications SMS alert gateway appliance (CPE cpe:2.3:a:taiko_network_communications_pte_ltd.:ag1000-01a_sms_alert_gateway) that exposes an embedded HTTP-based configuration interface rendering .zhtml pages. The root cause is CWE-79 - Improper Neutralization of Input During Web Page Generation - where administrative form fields persist user-controlled data into pages later rendered to other admins without adequate output encoding. The novel aspect is a length-bypass technique: attackers split a malicious script across several short fields and stitch the fragments together at render time using JavaScript comments and template literals, defeating per-field length validators that operate only on the client side.

RemediationAI

No vendor-released patch identified at time of analysis - neither VulnCheck nor the researcher disclosure cites a fixed firmware build for Rev 7.3 or Rev 8. Until Taiko publishes a fix, restrict the AG1000-01A web configuration interface to a dedicated management VLAN or jump host so PR:L attackers cannot reach it from general networks (trade-off: legitimate remote admin workflows must move through the bastion). Limit administrative accounts to the smallest necessary set and rotate credentials for any low-privileged operator accounts that can submit form data, since those accounts are the staging vector. Consider deploying a reverse proxy or WAF in front of the interface to strip <script> fragments, template-literal back-ticks, and JavaScript comment sequences (/*, */, //) from POST bodies destined for index.zhtml and related admin pages, accepting that aggressive filtering may break legitimate configuration values that contain those characters. Monitor the VulnCheck advisory URL above for a firmware revision and apply it as soon as Taiko releases one.

Share

CVE-2026-9144 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy