Description
Next Click Ventures RealtyScript 4.0.2 fails to properly sanitize CSV file uploads, allowing attackers to inject malicious scripts through filename parameters in multipart form data. Attackers can upload files with XSS payloads in the filename field to execute arbitrary JavaScript in users' browsers when the file is processed or displayed.
Published: 2026-03-15
Score: 5.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Stored Cross‑Site Scripting via filename injection
Action: Patch ASAP
AI Analysis

Impact

Next Click Ventures RealtyScript 4.0.2 fails to sanitize CSV file uploads, allowing attackers to inject malicious JavaScript via the filename parameter in multipart form data. This stored cross‑site scripting enables attackers to run arbitrary code in the browsers of users who view or download the uploaded file, potentially leading to credential theft, session hijacking, or defacement. The weakness maps to CWE‑79 and has a CVSS score of 5.1, indicating moderate severity.

Affected Systems

Affected product: Next Click Ventures RealtyScript version 4.0.2, identified by CPE cpe:2.3:a:nextclickventures:realtyscript:4.0.2. No other product versions are listed as affected.

Risk and Exploitability

The vulnerability's CVSS score of 5.1 and EPSS of less than 1% suggest moderate risk with low expected exploitation frequency. The attack vector is inferred to be the web‑based CSV upload interface, which does not require elevated privileges or authentication. The absence of a KEV listing indicates it has not been identified as a known exploited vulnerability in controlled environments. Administrators should consider the risk of unvalidated input leading to cross‑site scripting in user sessions.

Generated by OpenCVE AI on March 19, 2026 at 16:05 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update to the latest patched version of RealtyScript (if available).
  • If a patch is not available, temporarily disable CSV file uploads or enforce server‑side validation to strip script tags from filename fields.
  • After mitigation, verify that uploaded filenames no longer execute scripts in browsers.

Generated by OpenCVE AI on March 19, 2026 at 16:05 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 19 Mar 2026 14:15:00 +0000

Type Values Removed Values Added
First Time appeared Nextclickventures
Nextclickventures realtyscript
CPEs cpe:2.3:a:nextclickventures:realtyscript:4.0.2:*:*:*:*:*:*:*
Vendors & Products Nextclickventures
Nextclickventures realtyscript

Mon, 16 Mar 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 16 Mar 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Next Click Ventures
Next Click Ventures realtyscript
Vendors & Products Next Click Ventures
Next Click Ventures realtyscript

Sun, 15 Mar 2026 18:45:00 +0000

Type Values Removed Values Added
Description Next Click Ventures RealtyScript 4.0.2 fails to properly sanitize CSV file uploads, allowing attackers to inject malicious scripts through filename parameters in multipart form data. Attackers can upload files with XSS payloads in the filename field to execute arbitrary JavaScript in users' browsers when the file is processed or displayed.
Title RealtyScript 4.0.2 Stored Cross-Site Scripting via CSV File Upload Filename
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}

cvssV4_0

{'score': 5.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N'}

Subscriptions

Next Click Ventures Realtyscript
Nextclickventures Realtyscript
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-03-16T14:30:31.280Z

Reserved: 2026-03-15T18:05:45.669Z

Link: CVE-2015-20116

cve-icon Vulnrichment

Updated: 2026-03-16T14:21:16.415Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-16T14:17:47.077

Modified: 2026-03-19T14:12:28.390

Link: CVE-2015-20116

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-23T14:01:30Z

Weaknesses