Description
DRIMO CMS is vulnerable to Reflected XSS via q parameter in searching functionality. An attacker can prepare an URL that, when opened, results in arbitrary JavaScript execution in the victim's browser.

Product is in End Of Life phase and will not receive any updates. However, deleting info.php file mitigates the vulnerability,
Published: 2026-06-23
Score: 5.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

DRIMO CMS is vulnerable to reflected XSS through the q query string, an attacker can cause the victim’s browser to execute the code when the crafted URL is visited. The weakness permits client‑side script execution but does not grant access to server resources. This flaw is classified as CWE‑79.

Affected Systems

The vulnerability exists in DRIMO CMS from the vendor DRIMO. No specific product versions are listed, and the CMS is in an End‑of‑Life phase, meaning no security updates will be provided. The only remedial measure documented is the deletion of the info.php file, where the vulnerable search endpoint resides.

Risk and Exploitability

The CVSS score of 5.1 rates the vulnerability as moderate severity. The EPSS score is not available and the vulnerability is not listed in CISA’s KEV catalog. The vulnerability description does not state authentication requirements, so it is inferred that no authentication or privileged state is required. Nevertheless, all installations of this EOL product remain at risk for client‑side script execution.

Generated by OpenCVE AI on June 24, 2026 at 11:56 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Delete the info.php file to remove the vulnerable search endpoint.
  • Disable or sanitize the search functionality so that the q parameter cannot carry executable scripts.
  • Implement a Content Security Policy that blocks or restricts inline script execution to prevent arbitrary JavaScript from running.

Generated by OpenCVE AI on June 24, 2026 at 11:56 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 23 Jun 2026 21:30:00 +0000

Type Values Removed Values Added
First Time appeared Drimo
Drimo drimo Cms
Vendors & Products Drimo
Drimo drimo Cms

Tue, 23 Jun 2026 14:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Tue, 23 Jun 2026 13:45:00 +0000

Type Values Removed Values Added
Description DRIMO CMS is vulnerable to Reflected XSS via q parameter in searching functionality. An attacker can prepare an URL that, when opened, results in arbitrary JavaScript execution in the victim's browser. Product is in End Of Life phase and will not receive any updates. However, deleting info.php file mitigates the vulnerability,
Title Reflected XSS in DRIMO CMS
Weaknesses CWE-79
References
Metrics cvssV4_0

{'score': 5.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N'}


cve-icon MITRE

Status: PUBLISHED

Assigner: CERT-PL

Published:

Updated: 2026-06-23T13:58:49.034Z

Reserved: 2026-06-09T11:47:40.000Z

Link: CVE-2026-11772

cve-icon Vulnrichment

Updated: 2026-06-23T13:58:45.640Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-24T12:00:05Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')