Description
A vulnerability was found in gougucms 4.08.18. This impacts an unknown function of the file \gougucms-master\app\admin\view\user\record.html of the component Record Endpoint. Performing a manipulation of the argument value.content results in cross site scripting. It is possible to initiate the attack remotely. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way.
Published: 2026-04-01
Score: 5.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Cross‑Site Scripting
Action: Monitor
AI Analysis

Impact

A cross‑site scripting vulnerability exists in gougucms version 4.08.18 within the Record Endpoint at record.html. An attacker can inject malicious script by manipulating the value.content argument. The flaw is exploitable remotely and a public exploit demonstrates its use. Successful exploitation allows arbitrary script execution in the victim's browser, enabling session hijacking, data theft, or malicious actions performed under the victim's authority. The impact is confined to client‑side code execution and does not directly compromise the server or its data.

Affected Systems

The flaw affects the gougucms content management system, specifically version 4.08.18, and the Record Endpoint module. No other vendors or product variations were listed, and the issue is limited to this version of gougucms.

Risk and Exploitability

With a CVSS base score of 5.1, the vulnerability carries a moderate severity. EPSS information is unavailable, and it is not included in the CISA KEV catalog. The publicly available proof‑of‑concept shows that the exploit can be launched remotely by sending a crafted request to the value.content parameter. Because the attack requires only client interaction with the vulnerable page, the risk is high for users who visit the affected endpoint. The lack of an official vendor patch places the burden of mitigation on site administrators.

Generated by OpenCVE AI on April 1, 2026 at 07:23 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Continuously monitor application logs and security tools for requests targeting /user/record.html that include unexpected or malicious value.content payloads.
  • Implement input validation or sanitization on the value.content parameter before it is inserted into the page.
  • Deploy a strong Content Security Policy that blocks inline scripts and restricts script sources for the affected pages.
  • If the Record Endpoint feature is not needed, disable or remove it from the application to eliminate the attack surface.
  • Regularly check the gougucms community forums or official website for an updated release or patch that addresses the XSS flaw.

Generated by OpenCVE AI on April 1, 2026 at 07:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 03 Apr 2026 17:45:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 01 Apr 2026 02:15:00 +0000

Type Values Removed Values Added
Description A vulnerability was found in gougucms 4.08.18. This impacts an unknown function of the file \gougucms-master\app\admin\view\user\record.html of the component Record Endpoint. Performing a manipulation of the argument value.content results in cross site scripting. It is possible to initiate the attack remotely. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way.
Title gougucms Record Endpoint record.html cross site scripting
First Time appeared Gougucms
Gougucms gougucms
Weaknesses CWE-79
CWE-94
CPEs cpe:2.3:a:gougucms:gougucms:*:*:*:*:*:*:*:*
Vendors & Products Gougucms
Gougucms gougucms
References
Metrics cvssV2_0

{'score': 4, 'vector': 'AV:N/AC:L/Au:S/C:N/I:P/A:N/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 3.5, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 3.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 5.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Gougucms Gougucms
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-04-03T16:37:46.875Z

Reserved: 2026-03-31T16:00:50.059Z

Link: CVE-2026-5249

cve-icon Vulnrichment

Updated: 2026-04-03T16:37:39.282Z

cve-icon NVD

Status : Deferred

Published: 2026-04-01T02:16:03.890

Modified: 2026-04-24T18:12:06.580

Link: CVE-2026-5249

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-02T20:18:34Z

Weaknesses