Description
YetAnotherForum.NET (YAF.NET) is a C# ASP.NET forum. Prior to 4.0.5 and 3.2.12, the thread posting and reply feature accepts user-supplied content via a a post or reply that is stored server-side and later rendered back into the thread page without adequate HTML sanitization or contextual output encoding. This vulnerability is fixed in 4.0.5 and 3.2.12.
Published: 2026-05-12
Score: 7.3 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability lies in the thread posting and reply feature of YetAnotherForum.NET. The application accepts user‑supplied content and stores it without proper HTML sanitization or contextual output encoding. When a thread page is rendered, the unsanitized content is inserted directly into the page, allowing an attacker to embed arbitrary JavaScript. This results in malicious scripts executing in the browsers of any user who views the affected thread.

Affected Systems

YAF.NET forum software from YAFNET prior to version 4.0.5 and 3.2.12 is affected. Both the 4.x and 3.x releases contain the flaw; any host running an older version should verify its installed version and plan remediation.

Risk and Exploitability

The CVSS score of 7.3 indicates a high risk to confidentiality, integrity, and availability for users visiting the forum. The exploit is achieved through a standard web input form and applies to every thread viewed, suggesting a non‑negligible exploitation likelihood. Although the EPSS information is not available and the vulnerability is not listed in the CISA KEV catalogue, the stored XSS can be triggered by any user submitting malicious content, creating a broad threat surface.

Generated by OpenCVE AI on May 12, 2026 at 16:25 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the official YAF.NET upgrade to version 4.0.5 or 3.2.12, which contains the fix for the stored XSS.
  • If an upgrade cannot be performed immediately, limit posting or reply capabilities to trusted users only and consider disabling new thread creation temporarily to prevent injection of malicious content.
  • As a short‑term workaround, configure the forum to escape all user‑supplied input before rendering or integrate a content‑sanitization library to strip scripts from posts.

Generated by OpenCVE AI on May 12, 2026 at 16:25 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-8rq5-wwpp-fmj2 YAFNET has Stored XSS in Forum Thread Posts/Replies that Allows Arbitrary JavaScript Execution for All Thread Viewers
History

Tue, 12 May 2026 15:00:00 +0000

Type Values Removed Values Added
Description YetAnotherForum.NET (YAF.NET) is a C# ASP.NET forum. Prior to 4.0.5 and 3.2.12, the thread posting and reply feature accepts user-supplied content via a a post or reply that is stored server-side and later rendered back into the thread page without adequate HTML sanitization or contextual output encoding. This vulnerability is fixed in 4.0.5 and 3.2.12.
Title YAF.NET: Stored XSS in Forum Thread Posts/Replies Allowing Arbitrary JavaScript Execution for All Thread Viewers
Weaknesses CWE-116
CWE-79
CWE-80
References
Metrics cvssV3_1

{'score': 7.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-12T13:56:39.586Z

Reserved: 2026-05-04T16:59:09.089Z

Link: CVE-2026-43939

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-12T15:16:15.647

Modified: 2026-05-12T15:16:15.647

Link: CVE-2026-43939

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-12T16:30:19Z

Weaknesses