Skip to main content

Darna Framework EUVDEUVD-2026-15800

| CVE-2026-27088 HIGH
Cross-site Scripting (XSS) (CWE-79)
2026-03-25 Patchstack GHSA-j895-gc2p-77r2
7.1
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.1 HIGH
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

4
Re-analysis Queued
Apr 24, 2026 - 16:37 vuln.today
cvss_changed
EUVD ID Assigned
Mar 25, 2026 - 16:47 euvd
EUVD-2026-15800
Analysis Generated
Mar 25, 2026 - 16:47 vuln.today
CVE Published
Mar 25, 2026 - 16:14 nvd
HIGH 7.1

DescriptionCVE.org

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in G5Theme Darna Framework darna-framework allows Reflected XSS.This issue affects Darna Framework: from n/a through <= 2.9.

AnalysisAI

A reflected cross-site scripting (XSS) vulnerability exists in G5Theme's Darna Framework through version 2.9, allowing attackers to inject malicious scripts that execute in users' browsers when crafted URLs are visited. The vulnerability affects the Darna Framework WordPress plugin and stems from improper input neutralization during web page generation. While no CVSS score or EPSS data is currently published, the CWE-79 classification indicates this is a classic reflected XSS with potential for credential theft, session hijacking, and malware distribution depending on the attack vector's accessibility.

Technical ContextAI

The Darna Framework (cpe:2.3:a:g5theme:darna_framework:*:*:*:*:*:*:*:*) is a WordPress theme/plugin framework that processes user-supplied input during dynamic web page generation without adequate sanitization or output encoding. This violates CWE-79 (Improper Neutralization of Input During Web Page Generation), a category encompassing failures to escape or validate untrusted data before rendering in HTML contexts. The framework likely accepts query parameters, form inputs, or other request data and reflects them back in HTTP responses without HTML entity encoding, content-security-policy headers, or input validation, allowing attackers to break out of HTML attribute or script context and inject arbitrary JavaScript.

RemediationAI

Immediately upgrade the G5Theme Darna Framework to a patched version beyond 2.9; consult the official G5Theme security advisory or Patchstack database for the specific patch release. Until patching is feasible, implement input validation and output encoding at the application level, enforce Content-Security-Policy (CSP) headers to restrict inline script execution, and consider disabling the Darna Framework plugin if not actively required. Network-level mitigations include deploying a Web Application Firewall (WAF) with XSS detection rules and restricting access to administrative interfaces via IP allowlisting. Users should review their WordPress plugin settings and audit any recent modifications to site content or user access patterns.

Share

EUVD-2026-15800 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy