Skip to main content

Musetheque V4 Information Disclosure EUVDEUVD-2026-30504

| CVE-2026-24662 MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2026-05-15 jpcert GHSA-cq4p-2r8m-83m6
4.8
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
4.8 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
A
Scope
X

Lifecycle Timeline

3
Analysis Generated
May 15, 2026 - 06:30 vuln.today
CVSS changed
May 15, 2026 - 06:22 NVD
5.4 (MEDIUM) 4.8 (MEDIUM)
CVE Published
May 15, 2026 - 05:38 nvd
MEDIUM 4.8

DescriptionCVE.org

Cross-site scripting vulnerability exists in Musetheque V4 Information Disclosure for IPKNOWLEDGE V4L1 rev2203.0 and earlier. If a file containing malicious contents is uploaded, an arbitrary script may be executed on a user's web browser when viewing the administration page showing the information of the file.

AnalysisAI

Stored cross-site scripting (XSS) in Fujitsu's Musetheque V4 Information Disclosure for IPKNOWLEDGE V4L1 allows authenticated users to execute arbitrary scripts in administrators' browsers by uploading files with malicious content. When administrators view file information on the administration page, the injected script executes with user-level privileges. No public exploit code or active exploitation has been identified at the time of analysis.

Technical ContextAI

This vulnerability stems from improper input validation and output encoding on the file information display page within the Musetheque V4 administration interface. The root cause is CWE-79 (Cross-site Scripting), specifically stored/persistent XSS where malicious content embedded in uploaded files is rendered without sanitization when retrieved and displayed to administrators. The vulnerability affects the IPKNOWLEDGE V4L1 platform, which appears to be an information management system by Fujitsu Japan Limited. The attack vector is network-based with low complexity, relying on the application's failure to encode user-controllable data (file content) before insertion into the HTML response sent to administrators.

RemediationAI

Upgrade Musetheque V4 Information Disclosure to a patched version released by Fujitsu after revision 2203.0. Specific patch version numbers are not provided in available intelligence; consult the Fujitsu security advisory at https://jvn.jp/en/jp/JVN69128376/ and contact Fujitsu support for the current patched version. As an interim compensating control, restrict file upload permissions to a minimal set of trusted users and implement regular audits of uploaded files to identify suspicious content before administrators access file information pages. Additionally, disable or restrict administrative access to the file information display page for non-essential administrators, implement Content Security Policy (CSP) headers to mitigate XSS execution, and educate administrators to avoid opening file details for files from untrusted sources. Note that these controls do not eliminate the vulnerability but reduce exposure window and attacker surface until patching is possible.

Share

EUVD-2026-30504 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy