Qool CMS is affected by multiple persistent cross‑site scripting vulnerabilities that allow an attacker to inject malicious JavaScript through a variety of POST parameters such as title, name, email, username, link, and task. These inputs are stored and later rendered unchanged to users of the administrative interface. The primary impact is the execution of arbitrary scripts in the context of the administrator’s browser, enabling session hijacking, credential theft, or defacement. The underlying weakness is reflected input not being properly sanitized, classifying the flaw under a CWE related to XSS attacks.

The vulnerabilities affect Qool CMS as provided by the manufacturer Qool. Specifically, vulnerabilities exist in administrative scripts located in endpoints including addnewtype, addnewdatafield, addmenu, addusergroup, addnewuserfield, adduser, addgeneraldata, and addcontentitem. No specific version ranges are listed in the CNA data, so all instances of the CMS that have these endpoints and have not yet been patched are potentially impacted.

The CVSS base score is 8.7, indicating high severity. The EPSS score is reported to be <1%, suggesting a low probability of exploitation in the near term, and the flaw is not included in the CISA KEV catalog. The likely attack vector is a web-based POST request sent to the vulnerable administrative endpoints, requiring the attacker to have a mechanism to convince an authenticated administrator to submit the crafted POST data, or to supply the payload as part of a user‑generated entry that will then be rendered by an admin. The vulnerability can be successfully exploited if the attacker can affect the POST data in these forms or if an admin inadvertently submits malicious content.