Description
HTML injection vulnerability in multiple Botble products such as TransP, Athena, Martfury, and Homzen, consisting of an HTML injection due to a lack of proper validation of user input by sending a request to '/search' using the 'q' parameter.
Published: 2026-01-20
Score: 5.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: HTML Injection (XSS)
Action: Patch
AI Analysis

Impact

This vulnerability is an HTML injection flaw that allows an attacker to embed arbitrary markup into the 'q' search parameter, leading to client‑side script execution within the context of the victim's browser. The flaw arises because the application fails to properly validate or escape user input before rendering it. The impact can compromise confidentiality, integrity, and availability of the user session through cross‑site scripting, potentially enabling session hijacking, data theft, or malicious content injection.

Affected Systems

Affected products include Botble Athena, Homzen, Martfury, and TransP, all versions of each product. The issue is present in all current releases until patched by the vendor.

Risk and Exploitability

The CVSS score of 5.1 indicates a medium severity vulnerability, and the EPSS score of less than 1% shows a low probability of exploitation at the time of writing. The vulnerability is not listed in the CISA KEV catalog. The likely attack vector is an unauthenticated HTTP request to '/search' with a crafted 'q' parameter that contains malicious HTML. If exploited, an attacker could execute arbitrary JavaScript in the victim’s browser, enabling further cross‑site attacks.

Generated by OpenCVE AI on April 18, 2026 at 04:46 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the vendor patch or upgrade Botble Athena, Homzen, Martfury, and TransP to the latest release that addresses the HTML injection flaw.
  • If no patch is currently available, sanitize or escape all content returned from the 'q' parameter before rendering it to prevent injection.
  • Implement input validation on the 'q' parameter to accept only alphanumeric characters or enforce a whitelist to reduce the attack surface.

Generated by OpenCVE AI on April 18, 2026 at 04:46 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 20 Jan 2026 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 20 Jan 2026 12:30:00 +0000

Type Values Removed Values Added
Description HTML injection vulnerability in multiple Botble products such as TransP, Athena, Martfury, and Homzen, consisting of an HTML injection due to a lack of proper validation of user input by sending a request to '/search' using the 'q' parameter.
Title HTML injection in multiple Botble products
First Time appeared Botble
Botble athena
Botble homzen
Botble martfury
Botble transp
Weaknesses CWE-79
CPEs cpe:2.3:a:botble:athena:all_versions:*:*:*:*:*:*:*
cpe:2.3:a:botble:homzen:all_versions:*:*:*:*:*:*:*
cpe:2.3:a:botble:martfury:all_versions:*:*:*:*:*:*:*
cpe:2.3:a:botble:transp:all_versions:*:*:*:*:*:*:*
Vendors & Products Botble
Botble athena
Botble homzen
Botble martfury
Botble transp
References
Metrics cvssV4_0

{'score': 5.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:N/SI:L/SA:N'}

Subscriptions

Botble Athena Homzen Martfury Transp
cve-icon MITRE

Status: PUBLISHED

Assigner: INCIBE

Published:

Updated: 2026-01-20T17:51:26.528Z

Reserved: 2026-01-19T12:17:38.221Z

Link: CVE-2026-1183

cve-icon Vulnrichment

Updated: 2026-01-20T17:46:45.361Z

cve-icon NVD

Status : Deferred

Published: 2026-01-20T13:16:03.180

Modified: 2026-04-15T00:35:42.020

Link: CVE-2026-1183

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T05:00:06Z

Weaknesses