Is there a public PoC exploit available for EUVD-2026-17773?

Yes, a public proof-of-concept exploit is available for EUVD-2026-17773. Prioritise patching immediately. EPSS: 0.0%.

Admin EUVD-2026-17773

Q: What is the CVSS score of EUVD-2026-17773?

EUVD-2026-17773 has a CVSS 4.0 base score of 2.0 (Low). CVSS vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X. EPSS exploitation probability: 0.0%.

| CVE-2026-5252 LOW

Cross-site Scripting (XSS) (CWE-79)

2026-04-01 VulDB

GHSA-4c6f-f3m2-g3pw

XSS Admin

2.0

CVSS 4.0 · NVD

Severity by source

NVD PRIMARY

2.0 LOW

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

Scope

Lifecycle Timeline

Severity Changed

Apr 29, 2026 - 01:11 NVD

MEDIUM LOW

CVSS changed

Apr 29, 2026 - 01:11 NVD

5.1 (MEDIUM) 2.0 (LOW)

PoC Detected

Apr 01, 2026 - 14:23 vuln.today

Public exploit code

EUVD ID Assigned

Apr 01, 2026 - 04:00 euvd

EUVD-2026-17773

Analysis Generated

Apr 01, 2026 - 04:00 vuln.today

CVE Published

Apr 01, 2026 - 03:15 nvd

MEDIUM 5.1

DescriptionCVE.org

A security flaw has been discovered in z-9527 admin 1.0/2.0. Affected is an unknown function of the file /server/routes/message.js of the component Message Create Endpoint. Performing a manipulation results in cross site scripting. The attack can be initiated remotely. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.

AnalysisAI

Stored cross-site scripting (XSS) in z-9527 admin 1.0 and 2.0 allows authenticated remote attackers to inject malicious scripts via the Message Create Endpoint (/server/routes/message.js), affecting message content with user interaction required. Publicly available exploit code exists, and the vendor has not responded to disclosure attempts, leaving affected installations without an official patch.

Unlock full vulnerability intelligence

Risk assessment & exploitation conditions
Attack chain visualization
Remediation with exact patch versions
Threat intelligence from 22 sources
Personal watchlist & email alerts

Continue with Google Continue with GitHub

Free forever · No credit card required

Vulnerability AssessmentAI

Risk Assessment	While the CVSS score of 3.5 is low, several factors elevate practical risk: the attack requires authentication (PR:L per CVSS vector) and user interaction (UI:R), but publicly available exploit code exists, reducing barriers to abuse by insiders or compromised accounts. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario	An authenticated admin user with access to the admin panel crafts a message containing a malicious JavaScript payload (e.g., <script>alert('XSS')</script>) through the Message Create Endpoint. Due to insufficient input sanitization, the payload is stored in the application database and executed in the browser of any other admin user who views or interacts with the message, potentially stealing session tokens, redirecting to phishing sites, or performing unauthorized actions on behalf of the victim. …
Remediation	No vendor-released patch has been identified at time of analysis; the vendor did not respond to disclosure attempts. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

EUVD-2026-17773 vulnerability details – vuln.today

Back