Description
Exponent CMS 2.6 contains a stored cross-site scripting vulnerability that allows authenticated attackers to inject malicious scripts through the Title and Text Block parameters in the text editing endpoint. Attackers can inject iframe payloads with embedded SVG onload events to execute arbitrary JavaScript. The application also exposes database credentials in responses and lacks brute-force protection on authentication endpoints.
Published: 2026-05-10
Score: 5.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Exponent CMS 2.6 contains a stored cross‑site scripting vulnerability that allows authenticated attackers to inject malicious scripts into the Title and Text Block parameters through the text editing endpoint. The injection can consist of iframe payloads with embedded SVG on‑load events, enabling arbitrary JavaScript execution. Additionally, the application exposes database credentials in responses and does not provide brute‑force protection on authentication endpoints, increasing the risk of credential compromise.

Affected Systems

This vulnerability affects the Exponent CMS product version 2.6. Only the official ExponentCMS:Exponent CMS release is impacted, with no other versions or vendor products listed as affected.

Risk and Exploitability

The CVSS score of 5.1 indicates moderate severity, and the EPSS score of 0.00054 (~0.054%) suggests a very low exploitation probability. The vulnerability is not listed in the CISA KEV catalog. The attack vector is inferred to be authenticated because the text editing endpoint requires user credentials, and the attacker must have valid access to inject and cause script execution. If the attacker can access the vulnerable endpoint, they could hijack user sessions or exfiltrate data, potentially compromising confidentiality and integrity of the application. The credential exposure component amplifies the potential damage by providing an attacker with database access, facilitating further attacks such as data exfiltration or privilege escalation.

Generated by OpenCVE AI on May 26, 2026 at 15:13 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the most recent Exponent CMS patch that addresses the stored XSS and authentication issues.
  • Restrict or disable the text editing endpoint for non‑administrative users and enforce strict role‑based access control.
  • Remove database credentials from API responses and enable proper error handling to prevent credential disclosure.
  • Implement rate limiting or brute‑force protection on authentication endpoints to reduce the risk of credential guessing.

Generated by OpenCVE AI on May 26, 2026 at 15:13 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 26 May 2026 13:45:00 +0000

Type Values Removed Values Added
Description Exponent CMS 2.6 contains a stored cross-site scripting vulnerability that allows authenticated attackers to inject malicious scripts through the Title and Text Block parameters in the text editing endpoint. Attackers can inject iframe payloads with embedded SVG onload events to execute arbitrary JavaScript, and the application also exposes database credentials in responses and lacks brute-force protection on authentication endpoints. Exponent CMS 2.6 contains a stored cross-site scripting vulnerability that allows authenticated attackers to inject malicious scripts through the Title and Text Block parameters in the text editing endpoint. Attackers can inject iframe payloads with embedded SVG onload events to execute arbitrary JavaScript. The application also exposes database credentials in responses and lacks brute-force protection on authentication endpoints.

Mon, 11 May 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Sun, 10 May 2026 13:00:00 +0000

Type Values Removed Values Added
Description Exponent CMS 2.6 contains a stored cross-site scripting vulnerability that allows authenticated attackers to inject malicious scripts through the Title and Text Block parameters in the text editing endpoint. Attackers can inject iframe payloads with embedded SVG onload events to execute arbitrary JavaScript, and the application also exposes database credentials in responses and lacks brute-force protection on authentication endpoints.
Title Exponent CMS 2.6 Multiple Vulnerabilities Stored XSS Authentication
First Time appeared Exponentcms
Exponentcms exponent Cms
Weaknesses CWE-79
CPEs cpe:2.3:a:exponentcms:exponent_cms:*:*:*:*:*:*:*:*
Vendors & Products Exponentcms
Exponentcms exponent Cms
References
Metrics cvssV3_1

{'score': 6.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N'}

cvssV4_0

{'score': 5.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N'}

Subscriptions

Exponentcms Exponent Cms
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-05-26T11:51:42.814Z

Reserved: 2026-02-01T11:24:18.717Z

Link: CVE-2021-47931

cve-icon Vulnrichment

Updated: 2026-05-11T11:37:16.156Z

cve-icon NVD

Status : Deferred

Published: 2026-05-10T13:16:29.293

Modified: 2026-05-26T14:16:25.327

Link: CVE-2021-47931

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-26T15:15:08Z

Weaknesses