Skip to main content

KLiK SocialMediaWebsite EUVDEUVD-2026-31625

| CVE-2026-9420 LOW
Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') (CWE-74)
2026-05-25 VulDB GHSA-p36m-2qm6-9pq8
2.1
CVSS 4.0 · NVD

Severity by source

NVD PRIMARY
2.1 LOW
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
P
Scope
X

Lifecycle Timeline

3
Analysis Generated
Jun 08, 2026 - 13:12 vuln.today
Severity Changed
May 26, 2026 - 20:07 NVD
MEDIUM LOW
CVSS changed
May 26, 2026 - 20:07 NVD
6.3 (MEDIUM) 2.1 (LOW)

DescriptionCVE.org

A vulnerability was found in KLiK SocialMediaWebsite 1.0. This affects an unknown part of the component HTTP GET Request Parameter Handler. The manipulation results in injection. It is possible to launch the attack remotely. The exploit has been made public and could be used.

AnalysisAI

Injection via HTTP GET request parameter manipulation in KLiK SocialMediaWebsite 1.0 allows remote attackers to inject arbitrary content or code through the application's parameter handler, contingent on passive user interaction. The vulnerability carries a CVSS 4.0 base score of 2.1, reflecting limited confidentiality, integrity, and availability impact scoped exclusively to the vulnerable system with no lateral impact. Publicly available exploit code exists per the E:P exploit maturity metric and SSVC poc classification, though EPSS at 0.04% (13th percentile) and the non-KEV status indicate no observed widespread exploitation.

Technical ContextAI

KLiK SocialMediaWebsite 1.0 is identified via CPE cpe:2.3:a:n/a:klik_socialmediawebsite:*:*:*:*:*:*:*:* - the vendor field resolving to 'n/a' indicates this is likely a community or open-source project with no formal vendor namespace in the NVD CPE dictionary. The vulnerability resides in the HTTP GET Request Parameter Handler, the component responsible for processing URL query string parameters before downstream use. CWE-74 (Improper Neutralization of Special Elements in Output Used by a Downstream Component - Injection) identifies the root cause: user-supplied GET parameter values are not properly sanitized or neutralized before being passed to a downstream context, allowing injected special elements to alter the intended processing logic. This CWE is a parent class covering sub-types such as SQL injection, OS command injection, cross-site scripting, and template injection; the exact downstream context (database, shell, HTML renderer) is not confirmed in available data. The CVSS 4.0 vector specifies AT:N (no attack requirements beyond network access) and AC:L (low attack complexity), indicating the injection point is reliably reachable and does not require unusual application state.

RemediationAI

No vendor-released patch is identified at time of analysis - the CPE vendor field is 'n/a' and no patch references appear in the VulDB submission set (https://vuldb.com/submit/813723, /813730, /813731, /813732) or NVD entry. Given the absence of a maintained vendor, organizations running KLiK SocialMediaWebsite 1.0 should consider replacing it with an actively maintained alternative. As a specific compensating control, input validation and output encoding should be applied to all HTTP GET parameters at the web application firewall or reverse proxy layer (e.g., ModSecurity with OWASP CRS rules targeting CWE-74 injection patterns); note this may block legitimate parameterized requests if rules are too broad and requires tuning. Additionally, restricting the application to authenticated sessions only would eliminate the PR:N attack surface, though this may conflict with intended public-facing functionality. If the application is not in active use, decommissioning or taking it offline eliminates exposure entirely.

Share

EUVD-2026-31625 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy