Description
Carbon Forum 5.9.0 contains a persistent cross-site scripting vulnerability that allows authenticated administrators to inject malicious JavaScript code through the Forum Name field in dashboard settings. Attackers with admin privileges can store JavaScript payloads in the Forum Name field that execute in the browsers of all users visiting the forum, enabling session hijacking and data theft.
Published: 2026-04-22
Score: 5.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Persistent Cross‑Site Scripting (XSS) that can hijack sessions and steal data
Action: Apply Patch
AI Analysis

Impact

Carbon Forum 5.9.0 has a persistent cross‑site scripting flaw that permits authenticated administrators to insert arbitrary JavaScript into the Forum Name field of the dashboard settings. The stored script runs in every visitor’s browser when they view the forum, allowing an attacker to hijack user sessions and exfiltrate sensitive information. The weakness stems from unvalidated input and improper output encoding (CWE‑79).

Affected Systems

The vulnerability affects the Carbon Forum 5.9.0 release from the 94Cb vendor. No other versions are listed in the current data. Users running this exact version are directly impacted.

Risk and Exploitability

With a CVSS score of 5.1, the vulnerability is classified as Medium severity. An exploit requires that the attacker already have administrative access to the forum; it cannot be triggered by unauthenticated users. Because the EPSS score is not available and the issue is not in CISA’s KEV catalog, the likelihood of widespread exploitation is uncertain, but privileged accounts are at risk if they are compromised or if attacker accounts are mistakenly granted admin rights.

Generated by OpenCVE AI on April 22, 2026 at 18:26 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Carbon Forum to the latest release that includes the XSS fix.
  • If an immediate upgrade is not possible, restrict the Forum Name field to text only by sanitizing input and escaping output; consider temporarily disabling the ability to edit the Forum Name for non‑trusted staff.
  • Enforce strict access controls and audit logs for all administrator actions to detect suspicious changes to the Forum Name field.
  • Ensure that all administrators use strong, unique credentials and enable multi‑factor authentication to reduce the chance of credential compromise.

Generated by OpenCVE AI on April 22, 2026 at 18:26 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 27 Apr 2026 20:15:00 +0000

Type Values Removed Values Added
First Time appeared 94cb
94cb carbon Forum
Vendors & Products 94cb
94cb carbon Forum

Thu, 23 Apr 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 22 Apr 2026 15:30:00 +0000

Type Values Removed Values Added
Description Carbon Forum 5.9.0 contains a persistent cross-site scripting vulnerability that allows authenticated administrators to inject malicious JavaScript code through the Forum Name field in dashboard settings. Attackers with admin privileges can store JavaScript payloads in the Forum Name field that execute in the browsers of all users visiting the forum, enabling session hijacking and data theft.
Title Carbon Forum 5.9.0 Persistent XSS via Forum Name Field
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N'}

cvssV4_0

{'score': 5.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N'}

Subscriptions

94cb Carbon Forum
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-04-23T14:09:27.223Z

Reserved: 2026-04-21T15:00:11.849Z

Link: CVE-2024-58344

cve-icon Vulnrichment

Updated: 2026-04-23T14:09:06.568Z

cve-icon NVD

Status : Deferred

Published: 2026-04-22T16:16:48.363

Modified: 2026-04-22T21:22:35.387

Link: CVE-2024-58344

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-27T19:54:52Z

Weaknesses