PatchSiren cyber security CVE debrief
CVE-2026-5010 Sanoma CVE debrief
A reflected Cross-Site Scripting (XSS) vulnerability in Clickedu allows attackers to execute JavaScript in victims' browsers via malicious URLs targeting the `/user.php/` endpoint. The vulnerability was published on March 27, 2026, and last modified on May 19, 2026. With a CVSS 4.0 score of 5.1 (MEDIUM), the attack requires network access and user interaction, with low impacts to confidentiality and integrity of the affected system. The weakness is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation). The vendor attribution is currently uncertain, with evidence pointing to Incibe as a reference domain candidate; the product appears to be related to Sanoma's Clickedu platform based on the source reference title. No known exploitation in ransomware campaigns has been documented, and the vulnerability is not listed in CISA's Known Exploited Vulnerabilities catalog.
- Vendor
- Sanoma
- Product
- Clickedu
- CVSS
- MEDIUM 5.1
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-03-27
- Original CVE updated
- 2026-05-19
- Advisory published
- 2026-03-27
- Advisory updated
- 2026-05-19
Who should care
Organizations using Clickedu educational platform; security teams responsible for web application protection; developers maintaining PHP-based educational software
Technical summary
The vulnerability exists in the /user.php/ endpoint of Clickedu, where insufficient input sanitization allows reflected Cross-Site Scripting. An attacker can craft a malicious URL containing JavaScript payloads that execute in the victim's browser context upon visiting the link. This enables session hijacking, credential theft, and unauthorized actions on behalf of authenticated users. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N) indicates network accessibility, low attack complexity, no privileges required, but user interaction necessary, with low impacts to system confidentiality and integrity.
Defensive priority
medium
Recommended defensive actions
- Apply input validation and output encoding for all user-supplied data in the /user.php/ endpoint
- Implement Content Security Policy (CSP) headers to mitigate XSS impact
- Review and sanitize URL parameters to prevent reflected XSS attacks
- Monitor for security updates from the Clickedu vendor and apply patches when available
- Conduct security testing of the application to identify additional XSS vectors
Evidence notes
Official CVE record and NVD entry confirm reflected XSS in Clickedu /user.php/ endpoint. CVSS 4.0 vector indicates network-based attack with user interaction required. Source reference from Incibe CERT provides additional technical context. Vendor attribution marked as low confidence requiring review.
Official resources
-
CVE-2026-5010 CVE record
CVE.org
-
CVE-2026-5010 NVD detail
NVD
-
Source item URL
nvd_modified
- Source reference
2026-03-27T15:17:04.113Z