Description
A vulnerability was detected in Blossom up to 1.17.1. This vulnerability affects the function content of the file blossom-backend/backend/src/main/java/com/blossom/backend/server/article/draft/ArticleController.java of the component Article Title Handler. The manipulation results in cross site scripting. The attack can be launched remotely. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
Published: 2026-02-17
Score: 5.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Cross‑site scripting via article title input may allow malicious scripts to run in the browsers of users who view affected articles.
Action: Patch promptly
AI Analysis

Impact

A cross‑site scripting vulnerability exists in Blossom when the Article Title field is processed by ArticleController.java in the Article Title Handler component. Input containing malicious scripts is not properly sanitized, allowing attackers to inject arbitrary JavaScript that executes in the context of a victim’s browser. Compromise could enable session hijacking, defacement, or execution of further client‑side attacks.

Affected Systems

All installations of Blossom up to version 1.17.1 are affected. The vulnerable code resides in blossom-backend/backend/src/main/java/com/blossom/backend/server/article/draft/ArticleController.java, part of the Blossom backend package. Users running the Blossom web application in this version range must verify whether their deployment includes this component.

Risk and Exploitability

The CVSS score is 5.1, indicating moderate severity. The EPSS score is less than 1%, suggesting low known exploitation probability, and the issue is not listed in the CISA KEV catalog. However, the vulnerability is publicly disclosed and can be triggered remotely through normal use of the application, so the risk to systems that have not applied a fix remains moderate and active.

Generated by OpenCVE AI on April 17, 2026 at 18:52 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Blossom to a version newer than 1.17.1 that contains the fixed Article Title Handler code.
  • If an upgrade is not immediately possible, implement server‑side sanitization on article titles to escape or strip HTML and JavaScript before storage or rendering.
  • Enforce a Content Security Policy that disallows inline scripts and limits script sources to trusted origins, reducing the impact of any remaining unsanitized content.
  • Consider deploying a web application firewall rule to block requests with script tags or suspicious payloads in the title field.

Generated by OpenCVE AI on April 17, 2026 at 18:52 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 20 Feb 2026 18:15:00 +0000

Type Values Removed Values Added
First Time appeared Wangyunf
Wangyunf blossom
CPEs cpe:2.3:a:wangyunf:blossom:*:*:*:*:*:*:*:*
Vendors & Products Wangyunf
Wangyunf blossom

Thu, 19 Feb 2026 01:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 18 Feb 2026 11:00:00 +0000

Type Values Removed Values Added
First Time appeared Blossom
Blossom blossom
Vendors & Products Blossom
Blossom blossom

Tue, 17 Feb 2026 21:00:00 +0000

Type Values Removed Values Added
Description A vulnerability was detected in Blossom up to 1.17.1. This vulnerability affects the function content of the file blossom-backend/backend/src/main/java/com/blossom/backend/server/article/draft/ArticleController.java of the component Article Title Handler. The manipulation results in cross site scripting. The attack can be launched remotely. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
Title Blossom Article Title ArticleController.java content cross site scripting
Weaknesses CWE-79
CWE-94
References
Metrics cvssV2_0

{'score': 4, 'vector': 'AV:N/AC:L/Au:S/C:N/I:P/A:N/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 3.5, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 3.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 5.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Blossom Blossom
Wangyunf Blossom
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-02-23T10:15:12.991Z

Reserved: 2026-02-17T10:24:09.111Z

Link: CVE-2026-2622

cve-icon Vulnrichment

Updated: 2026-02-18T14:48:36.574Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-17T21:22:16.820

Modified: 2026-04-29T01:00:01.613

Link: CVE-2026-2622

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T19:00:11Z

Weaknesses