CVE-2026-41147 - Vulnerability Details

Description

NukeViet CMS is a multi Content Management System. Versions 4.5.07 and prior contain a Stored Cross-Site Scripting (XSS) vulnerability caused by insufficient server-side input sanitization in the Request class. The application relies primarily on client-side filtering to sanitize HTML tags and attributes in user-submitted content, which can be bypassed by intercepting and modifying HTTP requests directly (e.g., using Burp Suite). An attacker can inject malicious payloads which are stored server-side and executed in the browser of any user who views the content. Anyone viewing user-submitted content (such as administrators and moderators reviewing contact messages or comments) is impacted, and the vulnerability can be exploited by any anonymous visitor without authentication, with the Contact module used only as a proof of concept. Potential consequences include session hijacking through cookie theft, unauthorized actions performed under the victim's identity, defacement or redirection to phishing pages, and phishing attacks via manipulated email notifications. This issue has been fixed in version 4.5.08. If developers are unable to upgrade immediately, they should work around this issue by implementing server-side HTML sanitization in the Request class to strip or encode dangerous tags and attributes (e.g., <iframe>, srcdoc, event handlers like onerror/onload), enforcing a Content Security Policy (CSP) to restrict inline script execution, and set cookies with the HttpOnly flag to mitigate cookie theft via XSS.

Published: 2026-05-22

Score: 8.7 High

EPSS: n/a

KEV: No

Impact:

Action:

Analysis

Impact

NukeViet CMS versions 4.5.07 and prior contain a stored cross‑site scripting flaw that arises when server‑side input sanitization in the Request class is insufficient. The CMS relies mainly on client‑side filtering, allowing an attacker to bypass these checks by modifying HTTP traffic with a proxy such as Burp Suite. By injecting malicious payloads that are then stored, any user who views the affected content—including administrators, moderators, and other visitors—will execute the injected code in their browser. This can lead to session hijacking through cookie theft, unauthorized actions carried out under the victim’s identity, site defacement, redirection to phishing sites, and manipulation of email notifications.

Affected Systems

NukeViet CMS v4.5.07 and earlier are affected. The vulnerability is fixed in version 4.5.08, so any deployment running 4.5.07 or earlier should be upgraded or otherwise remediated.

Risk and Exploitability

The CVSS score of 8.7 indicates a high‑severity vulnerability, and although no EPSS score is available, the lack of required authentication combined with the ability to use any anonymous visitor to submit malicious content makes exploitation straightforward. The vulnerability is not yet listed in CISA’s KEV catalog, but the attack path—remote HTTP request manipulation and stored payload execution—is well understood and can be carried out with common web‑intercept tools. Administrators should therefore consider the vulnerability a high‑risk threat until a patch or vendor‑approved workaround is in place.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

nukeviet

affected

Version	Status	Constraints
`< 4.5.08`	affected	—

No data.

Vendor Product Confidence Versions

Nukeviet

100%

Version	Status	Scheme	Platform
`[0,4.5.08)`	affected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Apply the official patch by upgrading to NukeViet CMS 4.5.08 or newer.
If an upgrade cannot be performed immediately, modify the Request class to perform server‑side HTML sanitization, removing dangerous tags and attributes such as <iframe> and inline event handlers.
Enforce a strong Content Security Policy that blocks inline scripts and restricts script sources to trusted origins.
Set the HttpOnly flag on all authentication cookies used by the CMS to mitigate cookie theft via XSS.

Generated by OpenCVE AI on May 22, 2026 at 23:26 UTC.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
Github GHSA	GHSA-64rr-pp78-62ww	NukeViet CMS: Stored Cross-Site Scripting (XSS) via insufficient server-side input sanitization in Request class

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Changed

Confidentiality Impact High

Integrity Impact High

Availability Impact None

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://github.com/nukeviet/nukeviet/commit/2a0860fbe22e2f6a3b90f802bf80b25e18699611
https://github.com/nukeviet/nukeviet/releases/tag/4.5.08
https://github.com/nukeviet/nukeviet/security/advisories/GHSA-64rr-pp78-62ww

History

Fri, 22 May 2026 23:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Nukeviet Nukeviet nukeviet
Vendors & Products		Nukeviet Nukeviet nukeviet

Fri, 22 May 2026 22:00:00 +0000

Type	Values Removed	Values Added
Description		NukeViet CMS is a multi Content Management System. Versions 4.5.07 and prior contain a Stored Cross-Site Scripting (XSS) vulnerability caused by insufficient server-side input sanitization in the Request class. The application relies primarily on client-side filtering to sanitize HTML tags and attributes in user-submitted content, which can be bypassed by intercepting and modifying HTTP requests directly (e.g., using Burp Suite). An attacker can inject malicious payloads which are stored server-side and executed in the browser of any user who views the content. Anyone viewing user-submitted content (such as administrators and moderators reviewing contact messages or comments) is impacted, and the vulnerability can be exploited by any anonymous visitor without authentication, with the Contact module used only as a proof of concept. Potential consequences include session hijacking through cookie theft, unauthorized actions performed under the victim's identity, defacement or redirection to phishing pages, and phishing attacks via manipulated email notifications. This issue has been fixed in version 4.5.08. If developers are unable to upgrade immediately, they should work around this issue by implementing server-side HTML sanitization in the Request class to strip or encode dangerous tags and attributes (e.g., <iframe>, srcdoc, event handlers like onerror/onload), enforcing a Content Security Policy (CSP) to restrict inline script execution, and set cookies with the HttpOnly flag to mitigate cookie theft via XSS.
Title		NukeViet CMS: Stored Cross-Site Scripting (XSS) via insufficient server-side input sanitization in Request class
Weaknesses		CWE-79
References		https://github.com/nukeviet/nukeviet/commit/2a0860fbe22e2f6a3b90f802bf80b25e18699611 https://github.com/nukeviet/nukeviet/releases/tag/4.5.08 https://github.com/nukeviet/nukeviet/security/advisories/GHSA-64rr-pp78-62ww
Metrics		cvssV3_1 `{'score': 8.7, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N'}`

Subscriptions

Nukeviet Nukeviet

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2026-05-22T21:45:21.190Z

Updated: 2026-05-22T21:45:21.190Z

Reserved: 2026-04-17T12:59:15.739Z

Link: CVE-2026-41147

Vulnrichment

No data.

NVD

No data.

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-05-22T23:30:03Z

Weaknesses

CWE-79

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Changed

Confidentiality Impact High

Integrity Impact High

Availability Impact None

User Interaction Required

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object