Description
A security vulnerability has been detected in xingfuggz BaykeShop up to 1.3.20. Impacted is an unknown function of the file src/baykeshop/contrib/article/templates/baykeshop/sidebar/custom.html of the component Article Sidebar Module. Such manipulation of the argument sidebar.content leads to cross site scripting. The attack can be executed remotely. The exploit has been disclosed publicly and may be used. The project was informed of the problem early through an issue report but has not responded yet.
Published: 2026-02-23
Score: 4.8 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Cross‑Site Scripting
Action: Patch
AI Analysis

Impact

A cross‑site scripting vulnerability exists in the BaykeShop Article Sidebar Module. By manipulating the value of sidebar.content within the custom.html template, an attacker can inject arbitrary scripts that the browser will execute when a user browses the page. The flaw is a classic reflected XSS (CWE‑79) that also involves the generation of executable code through user input (CWE‑94). Attackers could hijack user sessions, deface pages or perform phishing attacks.

Affected Systems

Vendors: xingfuggz. Product: BaykeShop version 1.3.20 and earlier. The issue is tied to the file src/baykeshop/contrib/article/templates/baykeshop/sidebar/custom.html within the Article Sidebar Module. No later versions are known to be impacted.

Risk and Exploitability

The CVSS base score of 4.8 classifies the flaw as moderate. EPSS indicates a very low probability of exploitation, with a value below 1 %. It is not currently listed in CISA’s KEV catalog. The exploitation method requires remote access to the controller handling sidebar.content, meaning a vulnerable site can be attacked without authentication if the content is publicly reachable. Because the payload is executed in the victim’s browser, successful exploitation could lead to session theft or other client‑side attacks.

Generated by OpenCVE AI on April 17, 2026 at 16:11 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade BaykeShop to the latest released version that contains the fix for the custom.html XSS issue.
  • If no update is immediately available, sanitize all user‑supplied content passed to sidebar.content and apply proper HTML or JavaScript escaping before rendering the page.
  • Restrict the sidebar.content area to trusted administrators, or disable the Article Sidebar Module until a patch is applied.

Generated by OpenCVE AI on April 17, 2026 at 16:11 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 26 Feb 2026 13:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 24 Feb 2026 10:00:00 +0000

Type Values Removed Values Added
First Time appeared Xingfuggz
Xingfuggz baykeshop
Vendors & Products Xingfuggz
Xingfuggz baykeshop

Mon, 23 Feb 2026 22:15:00 +0000

Type Values Removed Values Added
Description A security vulnerability has been detected in xingfuggz BaykeShop up to 1.3.20. Impacted is an unknown function of the file src/baykeshop/contrib/article/templates/baykeshop/sidebar/custom.html of the component Article Sidebar Module. Such manipulation of the argument sidebar.content leads to cross site scripting. The attack can be executed remotely. The exploit has been disclosed publicly and may be used. The project was informed of the problem early through an issue report but has not responded yet.
Title xingfuggz BaykeShop Article Sidebar custom.html cross site scripting
Weaknesses CWE-79
CWE-94
References
Metrics cvssV2_0

{'score': 3.3, 'vector': 'AV:N/AC:L/Au:M/C:N/I:P/A:N/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 2.4, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 2.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 4.8, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Xingfuggz Baykeshop
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-02-25T15:38:53.536Z

Reserved: 2026-02-23T16:41:31.154Z

Link: CVE-2026-3041

cve-icon Vulnrichment

Updated: 2026-02-25T15:38:35.700Z

cve-icon NVD

Status : Deferred

Published: 2026-02-23T22:16:26.210

Modified: 2026-04-29T01:00:01.613

Link: CVE-2026-3041

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T16:15:22Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

  • CWE-94

    Improper Control of Generation of Code ('Code Injection')