CVE-2026-48999 - Vulnerability Details

- Stored Cross-Site Scripting (XSS) vulnerability in ZTE ZXUniPOS NDS-LTE product

Description

Attackers carefully craft malicious scripts, such as JavaScript, and inject them into target systems; when other users access pages containing such malicious content, the scripts are automatically loaded and executed in the victim's browser.Attackers can thereby steal user cookies, hijack session privileges, and tamper with page content.Since the malicious code is stored within the system, the attack scope is broad and the concealment is strong, making it frequently employed for data theft attacks.

Published: 2026-05-27

Score: 5.7 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The flaw allows attackers to insert malicious JavaScript code that is permanently saved in the system. When other users open affected pages, the browser automatically runs the code, enabling cookie theft, session hijack, and tampering with displayed content. Because the code is stored on the server, the vulnerability can impact many users and remains hidden until a victim interacts with the compromised page.

Affected Systems

The vulnerability is present in ZTE’s ZXUniPOS NDS‑LTE point‑of‑sale product, as disclosed by ZTE. No specific firmware or software version list was provided.

Risk and Exploitability

With a CVSS score of 5.7 the issue is considered moderate severity. Exploitation is possible through the web interface where attackers can supply crafted input; the attack is performed by a remote user and relies on the application’s failure to sanitize or encode stored content. The EPSS metric is not available and the vulnerability is not listed in CISA’s KEV catalog, indicating no known active exploits at the time of this analysis.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

ZTE

ZTE ZXUniPOS NDS-LTE

unaffected

Version	Status	Constraints
`V24.30.40CP02 and earlier versions`	affected	—
`V24.40.40 and earlier versions`	affected	—

No data.

Vendor Product Confidence Versions

Zte

Zxunipos Nds-lte

91%

Version	Status	Scheme	Platform
`[0,V24.30.40CP02]`	affected	generic	—
`[0,V24.40.40]`	affected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade to the latest firmware or software release from ZTE that includes input sanitization for stored data
Configure the application to reject or escape script tags and other executable input before storing it
Implement a Content Security Policy that restricts the execution of inline scripts and disallows loading scripts from untrusted sources

Generated by OpenCVE AI on May 27, 2026 at 09:38 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Unchanged

Confidentiality Impact Low

Integrity Impact High

Availability Impact Low

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00031.

Exploitation none

Automatable no

Technical Impact partial

References

Link	Providers
https://support.zte.com.cn/zte-iccp-isupport-webui/bulletin/detail/2811026568490730190

History

Wed, 27 May 2026 18:30:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Wed, 27 May 2026 09:30:00 +0000

Type	Values Removed	Values Added
First Time appeared		Zte Zte zxunipos Nds-lte
Vendors & Products		Zte Zte zxunipos Nds-lte

Wed, 27 May 2026 08:00:00 +0000

Type	Values Removed	Values Added
Metrics	cvssV3_1 `{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:H/A:L'}`	cvssV3_1 `{'score': 5.7, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:H/A:L'}`

Wed, 27 May 2026 03:30:00 +0000

Type	Values Removed	Values Added
Description		Attackers carefully craft malicious scripts, such as JavaScript, and inject them into target systems; when other users access pages containing such malicious content, the scripts are automatically loaded and executed in the victim's browser.Attackers can thereby steal user cookies, hijack session privileges, and tamper with page content.Since the malicious code is stored within the system, the attack scope is broad and the concealment is strong, making it frequently employed for data theft attacks.
Title		Stored Cross-Site Scripting (XSS) vulnerability in ZTE ZXUniPOS NDS-LTE product
Weaknesses		CWE-79
References		https://support.zte.com.cn/zte-iccp-isupport-webui/bulletin/detail/2811026568490730190
Metrics		cvssV3_1 `{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:H/A:L'}`

Subscriptions

Zte Zxunipos Nds-lte

MITRE

Status: PUBLISHED

Assigner: zte

Published: 2026-05-27T02:25:20.004Z

Updated: 2026-05-27T17:59:27.083Z

Reserved: 2026-05-27T01:01:53.326Z

Link: CVE-2026-48999

Vulnrichment

Updated: 2026-05-27T17:59:23.018Z

NVD

Status : Deferred

Published: 2026-05-27T04:16:31.463

Modified: 2026-05-27T19:59:03.360

Link: CVE-2026-48999

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-05-27T09:45:30Z

Weaknesses

CWE-79

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Unchanged

Confidentiality Impact Low

Integrity Impact High

Availability Impact Low

User Interaction Required

Exploitation none

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object