Description
A vulnerability was determined in dameng100 muucmf 1.9.5.20260309. This affects an unknown function of the file /admin/extend/list.html. Executing a manipulation of the argument Name can lead to cross site scripting. The attack can be launched remotely. The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure but did not respond in any way.
Published: 2026-03-26
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Cross‑Site Scripting (XSS)
Action: Patch
AI Analysis

Impact

A remote cross‑site scripting vulnerability exists in Dameng100 MUCMF version 1.9.5.20260309, affecting the /admin/extend/list.html page. The flaw allows an attacker to craft a malicious Name parameter that is reflected unencoded in the page, enabling arbitrary JavaScript execution in the browser of any user who views the page. This can compromise confidentiality by stealing session cookies, manipulate the interface, or conduct further attacks, and it violates the integrity of the admin console. The weakness matches CWE‑79 and can potentially involve code evaluation reported as CWE‑94.

Affected Systems

The vulnerability is present in the Dameng100 MUCMF product, specifically version 1.9.5.20260309. Operators running this admin interface are exposed, while users who only view public content are less likely to be affected unless they open the manipulated page.

Risk and Exploitability

The CVSS score of 5.3 indicates moderate severity. No EPSS score is available, and the issue is not listed in CISA’s KEV catalog, but the exploit has been publicly disclosed, implying active exploitation potential. The attack can be triggered remotely by sending a crafted request to /admin/extend/list.html; authentication is not explicitly required, suggesting that exposure may be possible to unauthenticated network users with access to the admin domain.

Generated by OpenCVE AI on March 26, 2026 at 08:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Dameng100 MUCMF to a patched version that eliminates the XSS flaw in /admin/extend/list.html.
  • If a patch is not available, restrict the /admin/extend/list.html endpoint so that only authenticated administrators can access it, preferably behind a firewall or VPN.
  • Implement input sanitization or output escaping for the Name field to neutralize injected scripts.
  • Deploy a web application firewall rule to block common XSS payloads targeting the Name parameter.
  • Continuously monitor web logs and security alerts for attempts to inject scripts into the admin area.

Generated by OpenCVE AI on March 26, 2026 at 08:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 26 Mar 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 26 Mar 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Dameng100
Dameng100 muucmf
Vendors & Products Dameng100
Dameng100 muucmf

Thu, 26 Mar 2026 07:15:00 +0000

Type Values Removed Values Added
Description A vulnerability was determined in dameng100 muucmf 1.9.5.20260309. This affects an unknown function of the file /admin/extend/list.html. Executing a manipulation of the argument Name can lead to cross site scripting. The attack can be launched remotely. The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure but did not respond in any way.
Title dameng100 muucmf list.html cross site scripting
Weaknesses CWE-79
CWE-94
References
Metrics cvssV2_0

{'score': 5, 'vector': 'AV:N/AC:L/Au:N/C:N/I:P/A:N/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 4.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Dameng100 Muucmf
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-03-26T18:27:28.900Z

Reserved: 2026-03-25T14:51:36.080Z

Link: CVE-2026-4848

cve-icon Vulnrichment

Updated: 2026-03-26T18:27:25.005Z

cve-icon NVD

Status : Deferred

Published: 2026-03-26T07:16:21.020

Modified: 2026-04-24T16:35:20.070

Link: CVE-2026-4848

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-26T12:08:17Z

Weaknesses