Description
NewsLister contains an authenticated persistent cross-site scripting vulnerability that allows authenticated administrators to inject malicious scripts through the title parameter in the news addition interface. Attackers can inject JavaScript payloads via the title field in the admin panel that execute when news items are viewed by other users.
Published: 2026-05-16
Score: 5.1 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

NewsLister suffers an authenticated persistent cross‑site scripting vulnerability that allows administrators to inject JavaScript payloads through the title field when creating news items. When other users view the affected news, the malicious script executes in their browsers, potentially compromising session data, defacing content, or facilitating further attacks. This weakness is classified as CWE‑79.

Affected Systems

The affected product is Netartmedia NewsLister. No specific versions are listed in the CNA data, so all installations of this product remain vulnerable until patched or otherwise mitigated.

Risk and Exploitability

The CVSS score of 5.1 indicates moderate severity. No EPSS score is available, and the vulnerability is not present in the CISA KEV catalog. Exploitation requires authenticated administrator credentials, which limits the attack surface but still poses a significant risk to any organization that grants broad admin privileges. Once an attacker defends the title field with JavaScript, the impact spans all users who read the news items.

Generated by OpenCVE AI on May 16, 2026 at 16:29 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest patch or upgrade to a newer version of Netartmedia NewsLister that resolves the XSS flaw
  • Restrict access to the admin panel to a minimal set of trusted administrators
  • Implement server‑side validation and output encoding on the title field to prevent arbitrary script injection

Generated by OpenCVE AI on May 16, 2026 at 16:29 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 16 May 2026 16:45:00 +0000

Type Values Removed Values Added
First Time appeared Netartmedia
Netartmedia news Lister
Vendors & Products Netartmedia
Netartmedia news Lister

Sat, 16 May 2026 15:45:00 +0000

Type Values Removed Values Added
Description NewsLister contains an authenticated persistent cross-site scripting vulnerability that allows authenticated administrators to inject malicious scripts through the title parameter in the news addition interface. Attackers can inject JavaScript payloads via the title field in the admin panel that execute when news items are viewed by other users.
Title NewsLister Authenticated Persistent Cross-Site Scripting via Admin Panel
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N'}

cvssV4_0

{'score': 5.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N'}

Subscriptions

Netartmedia News Lister
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-05-16T15:25:52.992Z

Reserved: 2026-05-15T14:17:44.250Z

Link: CVE-2020-37236

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-16T16:16:19.700

Modified: 2026-05-16T16:16:19.700

Link: CVE-2020-37236

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-16T16:30:27Z

Weaknesses