HIGH
nukeviet
CVE published 2026-05-22
CVE-2026-41147
NukeViet CMS versions 4.5.07 and prior contain a stored cross-site scripting (XSS) vulnerability in the Request class due to insufficient server-side input sanitization. The application relies primarily on client-side filtering to sanitize HTML tags and attributes, which can be bypassed by intercepting and modifying HTTP requests directly. An unauthenticated attacker can inject malicious payloads that are [truncated]