Description
A cross-site scripting (XSS) vulnerability in Deck9 Input v2.0.1 allows attackers to execute arbitrary web scripts or HTML via a crafted payload.
Published: 2026-06-15
Score: 5.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Deck9 Input v2.0.1 contains a cross‑site scripting flaw that permits an attacker to inject arbitrary HTML or JavaScript into the interface. The CVE description states that a crafted payload can cause the browser to execute code provided by the attacker. The primary weakness is improper input sanitization (CWE‑79). If a victim loads the page, the injected code will run with the same privileges as the page – this is inferred because the description implies client‑side execution but does not explicitly state the exact user interaction.

Affected Systems

Deck9 Input version 2.0.1 is affected. No other product or version is listed as impacted in the current dataset. Users deploying v2.0.1 of the Deck9 Input web component are at risk.

Risk and Exploitability

The CVSS score of 5.4 indicates moderate severity, while the EPSS score of less than 1% suggests exploit attempts are rare. The vulnerability is not listed in CISA KEV. Based on the description, it is inferred that an attacker would need to supply a crafted payload to an input field exposed by the application, which could be reachable to authenticated or unauthenticated users depending on the UI. The presumed impact is limited to client browsers and does not allow direct server compromise.

Generated by OpenCVE AI on June 18, 2026 at 01:35 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest Deck9 Input release that fixes the input sanitization flaw
  • If an update is unavailable, restrict access to the web interface so only trusted users can reach it
  • Implement a content‑security policy that blocks inline script execution

Generated by OpenCVE AI on June 18, 2026 at 01:35 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 26 Jun 2026 10:45:00 +0000

Type Values Removed Values Added
First Time appeared Deck9
Deck9 deck9 Input
Vendors & Products Deck9
Deck9 deck9 Input

Thu, 18 Jun 2026 04:45:00 +0000

Type Values Removed Values Added
Title Deck9 Input v2.0.1 Cross‑Site Scripting Vulnerability

Wed, 17 Jun 2026 05:15:00 +0000

Type Values Removed Values Added
Title Deck9 Input v2.0.1 Cross‑Site Scripting Vulnerability

Tue, 16 Jun 2026 18:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-79
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Mon, 15 Jun 2026 19:30:00 +0000

Type Values Removed Values Added
Description A cross-site scripting (XSS) vulnerability in Deck9 Input v2.0.1 allows attackers to execute arbitrary web scripts or HTML via a crafted payload.
References

Subscriptions

Deck9 Deck9 Input
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-06-16T17:12:39.776Z

Reserved: 2026-06-07T00:00:00.000Z

Link: CVE-2026-50876

cve-icon Vulnrichment

Updated: 2026-06-16T16:00:28.380Z

cve-icon NVD

Status : Deferred

Published: 2026-06-15T20:16:30.500

Modified: 2026-06-16T19:17:00.113

Link: CVE-2026-50876

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-26T09:46:20Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')