Skip to main content

KLiK SocialMediaWebsite CVE-2026-9422

| EUVDEUVD-2026-31630 MEDIUM
Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') (CWE-74)
2026-05-25 VulDB GHSA-wq97-gxrp-9qqp
5.5
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

3
Analysis Generated
Jun 08, 2026 - 11:43 vuln.today
Severity Changed
May 26, 2026 - 20:07 NVD
HIGH MEDIUM
CVSS changed
May 26, 2026 - 20:07 NVD
7.3 (HIGH) 5.5 (MEDIUM)

DescriptionCVE.org

A vulnerability was identified in KLiK SocialMediaWebsite 1.0. This issue affects some unknown processing of the component HTTP POST Request Parameter Handler. Such manipulation leads to injection. The attack can be launched remotely. The exploit is publicly available and might be used.

AnalysisAI

Injection vulnerability in KLiK SocialMediaWebsite 1.0 allows remote unauthenticated attackers to submit crafted HTTP POST request parameters to the application's input handler, achieving partial compromise of confidentiality, integrity, and availability. Classified under CWE-74 and tagged as Code Injection, the flaw carries a CVSS 4.0 score of 5.5 (Medium) with confirmed proof-of-concept exploit code publicly available (E:P). Despite the POC, EPSS places exploitation probability at 0.04% (14th percentile), indicating low observed real-world exploitation activity and a narrow effective target base.

Technical ContextAI

KLiK SocialMediaWebsite is a web application (CPE: cpe:2.3:a:n/a:klik_socialmediawebsite:*:*:*:*:*:*:*:*) with an unregistered vendor namespace in the NVD CPE dictionary, indicating a small or community-maintained project. The root cause is CWE-74 - Improper Neutralization of Special Elements in Output Used by a Downstream Component - a broad injection class encompassing SQL injection, command injection, and code injection subtypes. VulDB tags this specifically as Code Injection, suggesting user-supplied POST parameters are passed to an interpreter or evaluator without adequate sanitization or escaping. The CVSS 4.0 vector (AT:N) confirms no special attack requirements beyond network reachability, and the absence of scope change (SC:N/SI:N/SA:N) indicates exploitation is confined to the vulnerable application tier with no lateral impact to adjacent systems.

RemediationAI

No vendor-released patch has been identified at time of analysis; the CPE entry carries no registered vendor, and the VulDB submission references (https://vuldb.com/submit/813734, https://vuldb.com/submit/813736) do not confirm a fixed version. As a compensating control, operators should implement a web application firewall (WAF) with rules targeting injection payloads in POST body parameters, accepting the trade-off that WAF rules may produce false positives requiring tuning. Input validation and output encoding should be applied at all POST parameter entry points within the application code, prioritizing parameters processed by interpreters or template engines. If the application is not actively used, taking it offline or restricting access to trusted IP ranges eliminates the network attack vector entirely with no functional trade-off for non-users. Refer to https://vuldb.com/vuln/365403 and https://nvd.nist.gov/vuln/detail/CVE-2026-9422 for updated advisory information as the vendor situation evolves.

Share

CVE-2026-9422 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy