Skip to main content

Myems

1 CVEs product

Monthly

CVE-2026-15321 LOW POC PATCH Monitor

Stored cross-site scripting in MyEMS up to 6.4.0 allows a high-privileged attacker to inject malicious script via the `new_values['data']` argument in the `on_post` function of `myems-api/core/svg.py` within the Admin Backend, which then executes in a victim administrator's browser upon viewing the affected SVG content. The CVSS 4.0 score of 1.9 reflects the limited real-world impact: exploitation requires existing administrative access and victim interaction, constraining this to a privilege-abuse scenario rather than an external intrusion vector. A public proof-of-concept exists via GitHub issue #412, and a vendor-released patch is available in version 6.5.0.

XSS Myems
NVD VulDB GitHub
CVSS 4.0
1.9
EPSS
0.2%
EPSS 0% CVSS 1.9
LOW POC PATCH Monitor

Stored cross-site scripting in MyEMS up to 6.4.0 allows a high-privileged attacker to inject malicious script via the `new_values['data']` argument in the `on_post` function of `myems-api/core/svg.py` within the Admin Backend, which then executes in a victim administrator's browser upon viewing the affected SVG content. The CVSS 4.0 score of 1.9 reflects the limited real-world impact: exploitation requires existing administrative access and victim interaction, constraining this to a privilege-abuse scenario rather than an external intrusion vector. A public proof-of-concept exists via GitHub issue #412, and a vendor-released patch is available in version 6.5.0.

XSS Myems
NVD VulDB GitHub

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy