Description
A vulnerability has been found in dameng100 muucmf 1.9.5.20260309. The affected element is an unknown function of the file channel/admin.Account/autoReply.html. Such manipulation of the argument keyword leads to cross site scripting. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
Published: 2026-03-26
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Cross-site scripting
Action: Patch
AI Analysis

Impact

The vulnerability is a cross‑site scripting flaw found in dameng100 muucmf 1.9.5.20260309. An unknown function within the file channel/admin.Account/autoReply.html can be manipulated through the keyword argument, allowing an attacker to inject arbitrary client‑side script. The injected script runs in the victim’s browser, potentially leading to theft of session cookies, defacement, or further attacks. This flaw is an instance of CWE‑79 (XSS) and is considered a moderate‑severity vulnerability.

Affected Systems

Dameng100 muucmf software version 1.9.5.20260309 is vulnerable. The affected component is the autoReply.html page located in channel/admin.Account. No other versions or products were listed; therefore only the specified version is considered at risk.

Risk and Exploitability

The CVSS score for this issue is 5.3, indicating a moderate impact. The EPSS score is not provided, and the vulnerability is not listed in the CISA KEV catalog, suggesting it hasn't been widely exploited. The flaw can be exploited remotely via HTTP requests to the problematic endpoint, and the exploit has already been made public. Because the vendor did not respond to the initial disclosure, the window for a patch is uncertain, raising the risk for organizations still running the affected build.

Generated by OpenCVE AI on March 26, 2026 at 07:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Verify whether a patch is available from the vendor; if so, apply it.
  • If no patch, implement input sanitization and output encoding on the autoReply.html function to prevent script injection.
  • Apply a Web Application Firewall or content security policy to block malicious scripts from executing.
  • Disable or restrict external access to the autoReply.html endpoint if not needed.
  • Monitor web logs for suspicious requests targeting autoReply.html and investigate incidents.

Generated by OpenCVE AI on March 26, 2026 at 07:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 26 Mar 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 26 Mar 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Dameng100
Dameng100 muucmf
Vendors & Products Dameng100
Dameng100 muucmf

Thu, 26 Mar 2026 06:00:00 +0000

Type Values Removed Values Added
Description A vulnerability has been found in dameng100 muucmf 1.9.5.20260309. The affected element is an unknown function of the file channel/admin.Account/autoReply.html. Such manipulation of the argument keyword leads to cross site scripting. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
Title dameng100 muucmf autoReply.html cross site scripting
Weaknesses CWE-79
CWE-94
References
Metrics cvssV2_0

{'score': 5, 'vector': 'AV:N/AC:L/Au:N/C:N/I:P/A:N/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 4.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Dameng100 Muucmf
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-03-26T18:25:37.762Z

Reserved: 2026-03-25T14:51:29.579Z

Link: CVE-2026-4846

cve-icon Vulnrichment

Updated: 2026-03-26T18:22:52.631Z

cve-icon NVD

Status : Deferred

Published: 2026-03-26T06:16:09.787

Modified: 2026-04-24T16:35:20.070

Link: CVE-2026-4846

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-26T12:08:27Z

Weaknesses