Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
3DescriptionCVE.org
A vulnerability was identified in KLiK SocialMediaWebsite 1.0. This issue affects some unknown processing of the component HTTP POST Request Parameter Handler. Such manipulation leads to injection. The attack can be launched remotely. The exploit is publicly available and might be used.
AnalysisAI
Injection vulnerability in KLiK SocialMediaWebsite 1.0 allows remote unauthenticated attackers to submit crafted HTTP POST request parameters to the application's input handler, achieving partial compromise of confidentiality, integrity, and availability. Classified under CWE-74 and tagged as Code Injection, the flaw carries a CVSS 4.0 score of 5.5 (Medium) with confirmed proof-of-concept exploit code publicly available (E:P). Despite the POC, EPSS places exploitation probability at 0.04% (14th percentile), indicating low observed real-world exploitation activity and a narrow effective target base.
Technical ContextAI
KLiK SocialMediaWebsite is a web application (CPE: cpe:2.3:a:n/a:klik_socialmediawebsite:*:*:*:*:*:*:*:*) with an unregistered vendor namespace in the NVD CPE dictionary, indicating a small or community-maintained project. The root cause is CWE-74 - Improper Neutralization of Special Elements in Output Used by a Downstream Component - a broad injection class encompassing SQL injection, command injection, and code injection subtypes. VulDB tags this specifically as Code Injection, suggesting user-supplied POST parameters are passed to an interpreter or evaluator without adequate sanitization or escaping. The CVSS 4.0 vector (AT:N) confirms no special attack requirements beyond network reachability, and the absence of scope change (SC:N/SI:N/SA:N) indicates exploitation is confined to the vulnerable application tier with no lateral impact to adjacent systems.
RemediationAI
No vendor-released patch has been identified at time of analysis; the CPE entry carries no registered vendor, and the VulDB submission references (https://vuldb.com/submit/813734, https://vuldb.com/submit/813736) do not confirm a fixed version. As a compensating control, operators should implement a web application firewall (WAF) with rules targeting injection payloads in POST body parameters, accepting the trade-off that WAF rules may produce false positives requiring tuning. Input validation and output encoding should be applied at all POST parameter entry points within the application code, prioritizing parameters processed by interpreters or template engines. If the application is not actively used, taking it offline or restricting access to trusted IP ranges eliminates the network attack vector entirely with no functional trade-off for non-users. Refer to https://vuldb.com/vuln/365403 and https://nvd.nist.gov/vuln/detail/CVE-2026-9422 for updated advisory information as the vendor situation evolves.
More in Klik Socialmediawebsite
View allKLiK SocialMediaWebsite version v1.0.1 is vulnerable to SQL Injection via the profile.php. Rated high severity (CVSS 8.8
A reflected cross-site scripting (XSS) vulnerability in SocialMediaWebsite v1.0.1 allows attackers to inject malicious J
KLiK SocialMediaWebsite version 1.0.1 from msaad1999 has a reflected cross-site scripting (XSS) vulnerability which may
Unrestricted file upload in KLiK SocialMediaWebsite 1.0 exposes the application to unauthenticated remote exploitation v
A reflected cross-site scripting (XSS) vulnerability in zhimengzhe iBarn v1.5 allows attackers to inject malicious JavaS
Injection via HTTP GET request parameter manipulation in KLiK SocialMediaWebsite 1.0 allows remote attackers to inject a
Same technique Code Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-31630
GHSA-wq97-gxrp-9qqp