Exponent CMS 2.6 contains a stored cross‑site scripting vulnerability that allows authenticated attackers to inject malicious scripts into the Title and Text Block parameters through the text editing endpoint. The injection can consist of iframe payloads with embedded SVG on‑load events, enabling arbitrary JavaScript execution. Additionally, the application exposes database credentials in responses and does not provide brute‑force protection on authentication endpoints, increasing the risk of credential compromise.

This vulnerability affects the Exponent CMS product version 2.6. Only the official ExponentCMS:Exponent CMS release is impacted, with no other versions or vendor products listed as affected.

The CVSS score of 5.1 indicates moderate severity, and the absence of an EPSS score limits insight into current exploitation probability. The vulnerability is not listed in the CISA KEV catalog. The attack vector is inferred to be authenticated because the text editing endpoint requires user credentials, and the attacker must have valid access to inject and cause script execution. If the attacker can access the vulnerable endpoint, they could hijack user sessions or exfiltrate data, potentially compromising confidentiality and integrity of the application. The credential exposure component amplifies the potential damage by providing an attacker with database access, facilitating further attacks such as data exfiltration or privilege escalation.