Description
FluentCMS 1.2.3 is vulnerable to Cross Site Scripting (XSS) in TextHTML plugin.
Published: 2026-05-05
Score: 6.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability allows arbitrary client‑side scripts to be injected through the TextHTML plugin in FluentCMS 1.2.3, which can execute in the browser context of any user who views the affected content.

Affected Systems

FluentCMS 1.2.3, specifically the TextHTML plugin.

Risk and Exploitability

The CVSS score of 6.1 indicates moderate severity. XSS vulnerabilities usually depend on the ability to submit user‑controlled input; here an attacker would need access to the content creation interface. The EPSS score of less than 1% suggests a low probability of exploitation, and the issue is not listed in CISA KEV. The risk remains that scripts could run in the user’s browser, potentially exposing session data or manipulating the page.

Generated by OpenCVE AI on May 6, 2026 at 17:53 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade FluentCMS to a version that fixes the TextHTML plugin XSS flaw
  • If an upgrade is not yet possible, disable or remove the TextHTML plugin until the patch is available
  • Implement input sanitization or output escaping for HTML content submitted through the plugin as an interim safeguard

Generated by OpenCVE AI on May 6, 2026 at 17:53 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 06 May 2026 18:15:00 +0000

Type Values Removed Values Added
Title Cross Site Scripting Vulnerability in FluentCMS TextHTML Plugin

Wed, 06 May 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 06 May 2026 09:45:00 +0000

Type Values Removed Values Added
First Time appeared Fluentcms
Fluentcms fluentcms
Vendors & Products Fluentcms
Fluentcms fluentcms

Tue, 05 May 2026 21:45:00 +0000

Type Values Removed Values Added
Title Cross Site Scripting Vulnerability in FluentCMS TextHTML Plugin
Weaknesses CWE-79

Tue, 05 May 2026 20:00:00 +0000

Type Values Removed Values Added
Description FluentCMS 1.2.3 is vulnerable to Cross Site Scripting (XSS) in TextHTML plugin.
References

Subscriptions

Fluentcms Fluentcms
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-05-06T15:25:56.603Z

Reserved: 2026-04-06T00:00:00.000Z

Link: CVE-2026-38947

cve-icon Vulnrichment

Updated: 2026-05-06T12:55:24.810Z

cve-icon NVD

Status : Deferred

Published: 2026-05-05T20:16:38.513

Modified: 2026-05-06T16:16:08.757

Link: CVE-2026-38947

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-06T18:00:12Z

Weaknesses