PatchSiren cyber security CVE debrief
CVE-2026-38579 damasac CVE debrief
CVE-2026-38579 is a MEDIUM severity vulnerability in damasac thaipalliative_lte through version 3.0. Multiple reflected Cross-Site Scripting (XSS) vulnerabilities allow remote attackers to inject arbitrary web script or HTML via the idFormMain parameter, the id parameter, and the ptid_key parameter in /substudy/ezform.php. User input is echoed into HTML attributes and JavaScript contexts without encoding.
- Vendor
- damasac
- Product
- thaipalliative_lte
- CVSS
- MEDIUM 6.1
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-05
- Original CVE updated
- 2026-06-09
- Advisory published
- 2026-06-05
- Advisory updated
- 2026-06-09
Who should care
Users of damasac thaipalliative_lte through version 3.0 should apply patches or mitigations to prevent exploitation of this vulnerability.
Technical summary
The vulnerability has a CVSS score of 6.1 and is classified as MEDIUM severity. The CVSS vector is CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N. The weakness is classified as CWE-79.
Defensive priority
This vulnerability is considered a defensive priority due to its MEDIUM severity and potential for exploitation.
Recommended defensive actions
- Apply patches or updates to damasac thaipalliative_lte to version 3.0 or later.
- Implement input validation and encoding to prevent XSS attacks.
- Review and update /substudy/ezform.php to ensure proper handling of user input.
Evidence notes
Evidence for this CVE is provided by the NVD and CVE.org. [resourceLinkAnnotations id='nvd'] [resourceLinkAnnotations id='cve-org']
Official resources
CVE-2026-38579 was published on [cvePublishedAt] and modified on [cveModifiedAt].