Description
A weakness has been identified in lcg0124 BootDo up to e93dd428ef6f5c881aa74d49a2099ab0cf1e0fcb. Affected is the function Save of the file /blog/bContent/save of the component ContentController. This manipulation of the argument content/author/title causes cross site scripting. Remote exploitation of the attack is possible. The exploit has been made available to the public and could be used for attacks. This product follows a rolling release approach for continuous delivery, so version details for affected or updated releases are not provided.
Published: 2026-01-19
Score: 5.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Cross‑Site Scripting (remote XSS)
Action: Apply patch
AI Analysis

Impact

The vulnerability resides in the Save method of the /blog/bContent/save component of lcg0124:BootDo. When an attacker manipulates the content, author, or title arguments, the application fails to escape or sanitize user input, permitting arbitrary script injection. This flaw enables an attacker to execute JavaScript in the browser of any user who views the affected content, potentially leading to session hijacking, credential theft, or defacement. The flaw is classified as a remote XSS and can be exploited by sending crafted requests to the vulnerable endpoint.

Affected Systems

lcg0124:BootDo is affected, including all releases up to commit e93dd428ef6f5c881aa74d49a2099ab0cf1e0fcb. The product follows a rolling‑release model with no explicit version numbering for the affected release, so any deployment of this code base is potentially vulnerable.

Risk and Exploitability

The CVSS score of 5.1 indicates a moderate severity. The EPSS probability of less than 1% suggests the likelihood of exploitation is low, and the vulnerability is not listed in the CISA KEV catalog. However, a public exploit is available, and remote exploitation is possible by submitting a malicious payload to the Save endpoint. An attacker does not need privileged access and can target any user who subsequently views the injected content.

Generated by OpenCVE AI on April 18, 2026 at 05:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to the latest lcg0124 BootDo release that removes the XSS flaw.
  • If an upgrade is not immediately possible, implement server‑side input validation and output escaping on the content, author, and title fields before rendering them.
  • Deploy a web‑application firewall or equivalent filtering to block typical XSS payloads targeting the Save endpoint.

Generated by OpenCVE AI on April 18, 2026 at 05:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 20 Jan 2026 21:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 19 Jan 2026 09:45:00 +0000

Type Values Removed Values Added
First Time appeared Lcg0124
Lcg0124 bootdo
Vendors & Products Lcg0124
Lcg0124 bootdo

Mon, 19 Jan 2026 04:00:00 +0000

Type Values Removed Values Added
Description A weakness has been identified in lcg0124 BootDo up to e93dd428ef6f5c881aa74d49a2099ab0cf1e0fcb. Affected is the function Save of the file /blog/bContent/save of the component ContentController. This manipulation of the argument content/author/title causes cross site scripting. Remote exploitation of the attack is possible. The exploit has been made available to the public and could be used for attacks. This product follows a rolling release approach for continuous delivery, so version details for affected or updated releases are not provided.
Title lcg0124 BootDo ContentController save cross site scripting
Weaknesses CWE-79
CWE-94
References
Metrics cvssV2_0

{'score': 4, 'vector': 'AV:N/AC:L/Au:S/C:N/I:P/A:N/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 3.5, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 3.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 5.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Lcg0124 Bootdo
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-02-23T08:41:22.869Z

Reserved: 2026-01-18T07:18:02.496Z

Link: CVE-2026-1136

cve-icon Vulnrichment

Updated: 2026-01-20T20:11:12.867Z

cve-icon NVD

Status : Deferred

Published: 2026-01-19T04:15:59.303

Modified: 2026-04-15T00:35:42.020

Link: CVE-2026-1136

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T05:30:25Z

Weaknesses