Description
A vulnerability has been found in Intelliants Subrion CMS up to 4.0.3. Affected by this issue is some unknown functionality of the component Blocks Endpoint. Such manipulation of the argument CSS class name leads to cross site scripting. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
Published: 2026-06-15
Score: 4.8 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability resides in the Blocks Endpoint of Intelliants Subrion CMS versions up to 4.0.3. By altering the CSS class name argument sent to the endpoint, an attacker can inject malicious script code. This flaw enables a reflected cross‑site scripting (XSS) attack that will execute when a victim visits the affected page. The CVE notes that the attack can be performed remotely and has been publicly disclosed.

Affected Systems

Intelliants Subrion CMS versions up to 4.0.3 are affected; any deployment exposing the Blocks Endpoint is vulnerable.

Risk and Exploitability

The CVSS base score of 4.8 indicates moderate severity. EPSS is not available, and there is no KEV designation. The vulnerability is publicly disclosed and can be triggered via an HTTP request to the vulnerable endpoint, so exposed systems face a measurable risk. The impact is client‑side script execution; it does not provide server‑side compromise, but can lead to credential theft, session hijacking, or defacement if executed in a user‑browser context.

Generated by OpenCVE AI on June 15, 2026 at 04:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to a patched or newer version of Subrion CMS if one is available.
  • Sanitize or whitelist CSS class names on the Blocks Endpoint, accepting only valid characters.
  • Deploy a web‑application firewall or apply XSS protection headers such as Content‑Security‑Policy and X‑Content‑Type‑Options to mitigate reflected XSS attacks.

Generated by OpenCVE AI on June 15, 2026 at 04:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 15 Jun 2026 02:00:00 +0000

Type Values Removed Values Added
Description A vulnerability has been found in Intelliants Subrion CMS up to 4.0.3. Affected by this issue is some unknown functionality of the component Blocks Endpoint. Such manipulation of the argument CSS class name leads to cross site scripting. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
Title Intelliants Subrion CMS Blocks Endpoint cross site scripting
First Time appeared Intelliants
Intelliants subrion Cms
Weaknesses CWE-79
CWE-94
CPEs cpe:2.3:a:intelliants:subrion_cms:*:*:*:*:*:*:*:*
Vendors & Products Intelliants
Intelliants subrion Cms
References
Metrics cvssV2_0

{'score': 3.3, 'vector': 'AV:N/AC:L/Au:M/C:N/I:P/A:N/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 2.4, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 2.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 4.8, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Intelliants Subrion Cms
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-06-15T00:45:08.592Z

Reserved: 2026-06-14T11:47:26.996Z

Link: CVE-2026-12202

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-06-15T02:16:11.043

Modified: 2026-06-15T02:16:11.043

Link: CVE-2026-12202

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-15T04:30:29Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

  • CWE-94

    Improper Control of Generation of Code ('Code Injection')