Description
Reflected Cross-Site Scripting (XSS) vulnerability in Navigate Content Management System. The vulnerability is present in the '/blog' endpoint because user input is not properly sanitized through designed query parameters. This results in unsafe HTML rendering, which could allow a remote attacker to execute JavaScript code in the victim's browser.
Published: 2026-04-21
Score: 5.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Cross‑site scripting that can execute arbitrary JavaScript in a victim’s browser
Action: Patch
AI Analysis

Impact

The vulnerability is a reflected cross‑site scripting flaw in the Navigate CMS. Untrusted data supplied to the "/blog" endpoint is not sanitized before rendering, allowing an attacker to inject JavaScript that will run in a victim’s browser. This can lead to session hijacking, credential theft, or defacement of the displayed page.

Affected Systems

The flaw exists in Navigate CMS versions prior to 2.9.6. The vendor’s fix is shipped in version 2.9.6 and later. Administrators should verify that their installations are not running a vulnerable release.

Risk and Exploitability

The CVSS score of 5.1 indicates moderate risk, while the EPSS score of less than 1% suggests a low probability of widespread exploitation. The vulnerability is not listed in CISA’s KEV catalog. The attack vector is remote: an attacker can craft a malicious URL to the "/blog" endpoint that a victim clicks on or is otherwise prompted to visit. No special privileges are required on the server side, making it broadly accessible to remote users.

Generated by OpenCVE AI on April 21, 2026 at 23:06 UTC.

Remediation

Vendor Solution

The vulnerability has been fixed by Navigate CMS team in version 2.9.6.

OpenCVE Recommended Actions

  • Upgrade Navigate CMS to version 2.9.6 or newer to apply the vendor patch.
  • Review any custom code or plugins that process the "/blog" query parameters to ensure proper input validation and output encoding are in place.
  • Implement a Content Security Policy that restricts inline script execution to mitigate the impact of any remaining XSS vectors.

Generated by OpenCVE AI on April 21, 2026 at 23:06 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 21 Apr 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 21 Apr 2026 09:45:00 +0000

Type Values Removed Values Added
Description Reflected Cross-Site Scripting (XSS) vulnerability in Navigate Content Management System. The vulnerability is present in the '/blog' endpoint because user input is not properly sanitized through designed query parameters. This results in unsafe HTML rendering, which could allow a remote attacker to execute JavaScript code in the victim's browser.
Title Reflected Cross-Site Scripting in Navigate CMS application
First Time appeared Navigate
Navigate navigate Cms
Weaknesses CWE-79
CPEs cpe:2.3:a:navigate:navigate_cms:*:*:*:*:*:*:*:*
cpe:2.3:a:navigate:navigate_cms:2.9.6:*:*:*:*:*:*:*
Vendors & Products Navigate
Navigate navigate Cms
References
Metrics cvssV4_0

{'score': 5.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N'}

Subscriptions

Navigate Navigate Cms
cve-icon MITRE

Status: PUBLISHED

Assigner: INCIBE

Published:

Updated: 2026-04-21T13:22:03.438Z

Reserved: 2026-02-27T10:16:01.748Z

Link: CVE-2026-3317

cve-icon Vulnrichment

Updated: 2026-04-21T13:21:44.751Z

cve-icon NVD

Status : Deferred

Published: 2026-04-21T10:16:30.623

Modified: 2026-05-19T15:43:28.500

Link: CVE-2026-3317

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T11:46:40Z

Weaknesses