Description
HumHub is an Open Source Enterprise Social Network. In version 1.18.0, a cross-site scripting vulnerability was identified in the Button component of version 1.18.0. Due to inconsistent output encoding at several points within the software, malicious scripts could be injected and executed in the context of the user's browser. This issue has been patched in version 1.18.1.
Published: 2026-03-06
Score: 6.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Cross‑Site Scripting (XSS) in a user‑displayed Button component
Action: Apply Patch
AI Analysis

Impact

A software flaw in HumHub 1.18.0 allows an attacker to inject arbitrary, executable scripts through the Button component. Because the application performs inconsistent output encoding, malicious code can be rendered and run in the victim's browser, potentially stealing credentials or session data, defacing the interface, or performing actions on behalf of the user. The weakness corresponds to CWE‑79, a typical client‑side injection flaw. The vulnerability is fixed in HumHub 1.18.1, which implements proper output encoding in the Button component.

Affected Systems

The vulnerability affects HumHub 1.18.0, as identified by the CPE for that version. The issue is fixed in HumHub 1.18.1, which implements proper output encoding in the Button component. All owners of a 1.18.0 deployment are impacted.

Risk and Exploitability

The CVSS score of 6.9 indicates a moderate severity. EPSS is listed as < 1 %, implying a low probability of current exploitation. The vulnerability is not included in the CISA Known Exploited Vulnerabilities catalog. Attackers can create or modify a button in a page that renders untrusted content, so the likely attack vector is through a malicious link or content that exploits the unencoded output.

Generated by OpenCVE AI on April 17, 2026 at 12:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade HumHub to version 1.18.1 or later, where the output encoding bug is corrected.
  • If an upgrade is not immediately possible, enforce strict output encoding or sanitization on any dynamic button labels to prevent script injection.
  • Deploy application‑layer controls such as a web‑application firewall rule that blocks script payloads inserted into UI elements.

Generated by OpenCVE AI on April 17, 2026 at 12:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 09 Mar 2026 21:30:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:humhub:humhub:1.18.0:-:*:*:*:*:*:*
Metrics cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}

Mon, 09 Mar 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 09 Mar 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Humhub
Humhub humhub
Vendors & Products Humhub
Humhub humhub

Fri, 06 Mar 2026 07:15:00 +0000

Type Values Removed Values Added
Description HumHub is an Open Source Enterprise Social Network. In version 1.18.0, a cross-site scripting vulnerability was identified in the Button component of version 1.18.0. Due to inconsistent output encoding at several points within the software, malicious scripts could be injected and executed in the context of the user's browser. This issue has been patched in version 1.18.1.
Title HumHub: XSS in Button component
Weaknesses CWE-79
References
Metrics cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Humhub Humhub
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-09T19:56:13.803Z

Reserved: 2026-03-03T17:50:11.243Z

Link: CVE-2026-29048

cve-icon Vulnrichment

Updated: 2026-03-09T19:56:05.907Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-06T07:16:01.920

Modified: 2026-03-09T21:23:43.480

Link: CVE-2026-29048

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T12:30:06Z

Weaknesses