Skip to main content

EUVDEUVD-2026-16211

| CVE-2026-29934 MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2026-03-26 mitre GHSA-phpm-chh7-7xg9
6.1
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
6.1 MEDIUM
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

3
EUVD ID Assigned
Mar 26, 2026 - 15:00 euvd
EUVD-2026-16211
Analysis Generated
Mar 26, 2026 - 15:00 vuln.today
CVE Published
Mar 26, 2026 - 00:00 nvd
MEDIUM 6.1

DescriptionCVE.org

A reflected cross-site scripting (XSS) vulnerability in the /admin/menus component of Lightcms v2.0 allows attackers to execute arbitrary Javascript in the context of the user's browser via modifying the referer value in the request header.

AnalysisAI

Lightcms v2.0 contains a reflected cross-site scripting vulnerability in the /admin/menus component that allows unauthenticated remote attackers to execute arbitrary JavaScript in a victim's browser by injecting malicious code through the HTTP referer header. The vulnerability requires user interaction (clicking a crafted link) to trigger exploitation. A proof-of-concept has been publicly disclosed on GitHub, though no evidence of active exploitation in the CISA Known Exploited Vulnerabilities catalog was identified. With a CVSS score of 6.1 and low attack complexity, this represents a moderate-severity risk requiring prompt patching.

Technical ContextAI

The vulnerability stems from improper input validation and output encoding in the /admin/menus administrative interface of Lightcms v2.0. Specifically, the application fails to sanitize the HTTP referer header before reflecting its value in the response HTML, enabling reflected XSS attacks. This is a classic instance of CWE (Cross-Site Scripting) where untrusted user input from the referer header is processed and rendered in a web page without appropriate encoding or filtering. The CVSS vector (AV:N/AC:L/PR:N/UI:R/S:C) confirms the attack is network-accessible, requires low complexity, no authentication, but does require user interaction. The affected product is identified as Lightcms via the provided reference to the GitHub issue tracker, though CPE data in the input shows placeholder values (n/a), indicating incomplete product identification in vulnerability databases.

RemediationAI

No vendor-released patch has been identified at the time of this analysis based on available reference data. Organizations operating Lightcms v2.0 should immediately contact the vendor (eddy8/LightCMS) through the GitHub issues tracker or official security contact to request a patched version. As an interim mitigation, restrict network access to the /admin/menus component via firewall rules or reverse proxy to trusted administrator IP ranges only, implement HTTP referer header validation at the web server or WAF level to reject or sanitize suspicious referer values, and apply Content Security Policy (CSP) headers to limit the execution of inline or injected JavaScript. Additionally, educate administrators to avoid clicking untrusted links while logged into Lightcms administrative interfaces, and monitor HTTP logs for referer headers containing script-like content (e.g., 'javascript:', 'onerror=', '<script').

Share

EUVD-2026-16211 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy