CVE-2026-43938 - Vulnerability Details

- YAF.NET: Unauthenticated Stored Second-Order XSS in Admin Event Log via Reflected `User-Agent` Header

Description

YetAnotherForum.NET (YAF.NET) is a C# ASP.NET forum. Prior to 4.0.5 and 3.2.12, the application's database logger (YAFNET.Core/Logger/DbLogger.cs) captures the incoming request's User-Agent header into a JObject, serializes it with JsonConvert, and stores the result in the EventLog.Description column whenever an event (e.g., an unhandled exception) is logged. The admin event-log page (YetAnotherForum.NET/Pages/Admin/EventLog.cshtml.cs) later deserializes that JSON in FormatStackTrace() and interpolates the UserAgent value directly into an HTML string with no encoding, and the Razor view EventLog.cshtml emits the result through @Html.Raw. This vulnerability is fixed in 4.0.5 and 3.2.12.

Published: 2026-05-12

Score: 8.1 High

EPSS: n/a

KEV: No

Impact:

Action:

Analysis

Impact

The flaw arises because YAF.NET logs the User‑Agent header into the event log without validation or encoding. During an error, the logged data is later deserialized and injected into an HTML string that is rendered with raw HTML, allowing attacker‑controlled characters to become executable script. This second‑order stored XSS can compromise any administrator who views the event‑log page, potentially leading to session hijack, credential theft, or further attacks against the forum system.

Affected Systems

YetAnotherForum.NET (YAF.NET) is vulnerable in all releases older than version 4.0.5 and 3.2.12. The affected component is the database logger that captures the User‑Agent header for all requests, and the admin event‑log page that displays the stored entries.

Risk and Exploitability

The vulnerability has a CVSS score of 8.1, indicating high criticality. No EPSS score is available, so the likelihood of exploitation is unclear but the lack of mitigation plus the fact that it is unauthenticated means an attacker can easily craft a malicious User‑Agent header via a regular HTTP request. The flaw is not listed in CISA’s KEV catalog, but its potential for widespread damage makes it a serious risk when the affected versions are in use.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

YAFNET

affected

Version	Status	Constraints
`>= 4.0.0-beta.1, < 4.0.5`	affected	—
`< 3.2.12`	affected	—

No data.

No data available yet.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade YAF.NET to version 4.0.5 or 3.2.12 to eliminate the insecure logging and rendering logic.
Delete or sanitize existing event‑log entries that contain unencoded User‑Agent strings to remove stored payloads.
Modify the event‑log view or logging code to encode User‑Agent data before rendering, such as replacing @Html.Raw with proper HTML encoding or using Razor’s built‑in encoding mechanisms.

Generated by OpenCVE AI on May 12, 2026 at 16:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
Github GHSA	GHSA-33gv-fc78-qgf5	YAFNET has Unauthenticated Stored Second-Order XSS in Admin Event Log via Reflected `User-Agent` Header

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact None

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Exploitation poc

Automatable no

Technical Impact total

References

Link	Providers
https://github.com/YAFNET/YAFNET/security/advisories/GHSA-33gv-fc78-qgf5

History

Tue, 12 May 2026 16:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

Tue, 12 May 2026 15:00:00 +0000

Type	Values Removed	Values Added
Description		YetAnotherForum.NET (YAF.NET) is a C# ASP.NET forum. Prior to 4.0.5 and 3.2.12, the application's database logger (YAFNET.Core/Logger/DbLogger.cs) captures the incoming request's User-Agent header into a JObject, serializes it with JsonConvert, and stores the result in the EventLog.Description column whenever an event (e.g., an unhandled exception) is logged. The admin event-log page (YetAnotherForum.NET/Pages/Admin/EventLog.cshtml.cs) later deserializes that JSON in FormatStackTrace() and interpolates the UserAgent value directly into an HTML string with no encoding, and the Razor view EventLog.cshtml emits the result through @Html.Raw. This vulnerability is fixed in 4.0.5 and 3.2.12.
Title		YAF.NET: Unauthenticated Stored Second-Order XSS in Admin Event Log via Reflected `User-Agent` Header
Weaknesses		CWE-116 CWE-79 CWE-80
References		https://github.com/YAFNET/YAFNET/security/advisories/GHSA-33gv-fc78-qgf5
Metrics		cvssV3_1 `{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N'}`

Subscriptions

No data.

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2026-05-12T13:57:56.951Z

Updated: 2026-05-12T15:39:46.446Z

Reserved: 2026-05-04T16:59:09.089Z

Link: CVE-2026-43938

Vulnrichment

Updated: 2026-05-12T15:39:40.574Z

NVD

Status : Received

Published: 2026-05-12T15:16:15.497

Modified: 2026-05-12T16:16:24.030

Link: CVE-2026-43938

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-05-12T17:00:11Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact None

User Interaction Required

Exploitation poc

Automatable no

Technical Impact total

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object