Description
Kuicms Php EE 2.0 contains a persistent cross-site scripting vulnerability that allows unauthenticated attackers to inject malicious scripts by submitting crafted content through the bbs reply endpoint. Attackers can send POST requests to /web/?c=bbs&a=reply with HTML and JavaScript payloads in the content parameter to execute arbitrary scripts in users' browsers.
Published: 2026-05-13
Score: 5.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Kuicms Php EE 2.0 contains a persistent cross‑site scripting flaw that occurs when user‑submitted content from the bbs reply endpoint is stored without proper escaping. An attacker can send a POST request to /web/?c=bbs&a=reply with JavaScript and HTML in the content parameter, and the payload is stored and rendered in browsers when the reply is viewed, allowing arbitrary script execution. This weakness is a classic input validation error (CWE‑79).

Affected Systems

The vulnerability targets the Kuicms Php EE 2.0 CMS. No other versions are reported as affected. Administrators should confirm whether their deployed instances run version 2.0 and whether the bbs reply feature is enabled.

Risk and Exploitability

The CVSS score of 5.1 indicates medium severity. EPSS data is not available and the flaw is not listed in the CISA KEV catalogue, suggesting no documented exploitation to date. Attackers can reach the vulnerable endpoint without authentication by sending a crafted POST request to /web/?c=bbs&a=reply, so the attack vector is unauthenticated network access to the application.

Generated by OpenCVE AI on May 13, 2026 at 17:06 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the vendor‑supplied patch or upgrade to a Kuicms Php EE version that sanitizes bbs reply input
  • If an official fix is not yet available, sanitize or escape the content parameter on the server side before storing it to prevent execution of injected scripts
  • Disable the bbs reply feature or restrict it to authenticated users when possible to reduce exposure

Generated by OpenCVE AI on May 13, 2026 at 17:06 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 15 May 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 14 May 2026 15:00:00 +0000

Type Values Removed Values Added
First Time appeared Kuicms
Kuicms kuicms Php Ee
Vendors & Products Kuicms
Kuicms kuicms Php Ee

Wed, 13 May 2026 15:15:00 +0000

Type Values Removed Values Added
Description Kuicms Php EE 2.0 contains a persistent cross-site scripting vulnerability that allows unauthenticated attackers to inject malicious scripts by submitting crafted content through the bbs reply endpoint. Attackers can send POST requests to /web/?c=bbs&a=reply with HTML and JavaScript payloads in the content parameter to execute arbitrary scripts in users' browsers.
Title Kuicms Php EE 2.0 Persistent Cross-Site Scripting via bbs reply
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 7.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N'}

cvssV4_0

{'score': 5.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N'}

Subscriptions

Kuicms Kuicms Php Ee
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-05-24T01:36:54.833Z

Reserved: 2026-05-13T14:08:46.913Z

Link: CVE-2020-37222

cve-icon Vulnrichment

Updated: 2026-05-15T13:46:10.828Z

cve-icon NVD

Status : Deferred

Published: 2026-05-13T16:16:33.713

Modified: 2026-05-13T17:07:21.030

Link: CVE-2020-37222

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-14T14:34:19Z

Weaknesses