Description
u5CMS through v12.8.8 is vulnerable to reflected XSS via the ‘thanks’ parameter in multiple form components
Published: 2026-07-02
Score: 6.4 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a POST-based reflected cross‑site scripting flaw in u5CMS through version 12.8.8 that occurs when an attacker supplies malicious content in the 'thanks' parameter of multiple form components. The application does not sanitize this input before embedding it into an HTML response, allowing arbitrary JavaScript to be executed in the victim’s browser. This weakness is categorized as CWE‑79, Improper Neutralization of Input During Web Page Generation.

Affected Systems

u5CMS content management systems running any version through v12.8.8, including all earlier releases, are vulnerable. Versions v12.8.9 and later contain the fix that properly sanitizes the 'thanks' parameter; therefore, any deployment using these post‑v12.8.9 releases is no longer affected.

Risk and Exploitability

The CVSS score of 6.4 places this flaw in the Medium severity range. EPSS data is not available, and the vulnerability is not listed in the CISA KEV catalog, indicating a moderate exploitation likelihood. The flaw can be triggered by sending a crafted POST request to any public form that includes the 'thanks' field, allowing an attacker with internet access to deliver the payload. Because the impact occurs client‑side, the attack requires a victim to view the reflected content in their browser, and any abuse depends on user interaction with the malicious output. Implementing the vendor's patch is a priority to mitigate this risk.

Generated by OpenCVE AI on July 2, 2026 at 20:19 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade u5CMS to version 12.8.9 or later, which includes a fix that sanitizes the 'thanks' parameter.
  • If an upgrade cannot be performed immediately, disable the affected form pages or block submissions that contain the 'thanks' parameter or suspicious characters.
  • Apply strict input validation and output encoding to all form parameters to ensure any supplied data is safely processed.

Generated by OpenCVE AI on July 2, 2026 at 20:19 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 02 Jul 2026 14:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-79
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Thu, 02 Jul 2026 12:15:00 +0000

Type Values Removed Values Added
Description u5CMS through v12.8.8 is vulnerable to reflected XSS via the ‘thanks’ parameter in multiple form components
Title POST-based reflected XSS via the thanks parameter in form components
References
Metrics cvssV4_0

{'score': 6.4, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:H/SI:H/SA:H'}


Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: NCSC.ch

Published:

Updated: 2026-07-02T13:14:25.969Z

Reserved: 2026-07-02T07:19:55.068Z

Link: CVE-2026-14449

cve-icon Vulnrichment

Updated: 2026-07-02T13:14:22.840Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-07-02T20:30:05Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')