Description
A security flaw has been discovered in z-9527 admin 1.0/2.0. Affected is an unknown function of the file /server/routes/message.js of the component Message Create Endpoint. Performing a manipulation results in cross site scripting. The attack can be initiated remotely. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.
Published: 2026-04-01
Score: 5.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Remote Cross‑Site Scripting (XSS)
Action: Apply Patch
AI Analysis

Impact

The z‑9527 admin application contains a flaw in the Message Create Endpoint located in /server/routes/message.js. When a message is submitted, user supplied data is rendered in a browser without proper sanitization, allowing an attacker to inject JavaScript. The result is cross‑site scripting that can run arbitrary code in the context of another user's browser session. The vulnerability relies on typical web request and response handling and does not require local access or privileged execution on the server.

Affected Systems

The flaw affects the 1.0 and 2.0 releases of the z‑9527 admin component. No other product versions have been reported as impacted. Systems running either of these releases are exposed if the message creation functionality is enabled and not patched.

Risk and Exploitability

The CVSS base score of 5.1 indicates moderate severity, and EPSS data is unavailable. The publicly available exploit demonstrates that the attack can be carried out remotely by sending a crafted HTTP request to the vulnerable endpoint. The vendor has not provided a fix, and the vulnerability is absent from the CISA Known Exploited Vulnerabilities list, meaning it may be overlooked by automated defenses. The moderate score, lack of vendor remediation, and confirmed public exploit combine to make the risk significant for running installations.

Generated by OpenCVE AI on April 1, 2026 at 06:27 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Check for and apply any official patch or upgrade to a fixed version of z‑9527 admin 1.0/2.0.
  • Restrict or sanitize all user‑supplied input on the Message Create Endpoint before rendering it in a browser.
  • If the message creation feature is unnecessary, disable or remove /server/routes/message.js from production.
  • Deploy a web application firewall or similar controls to detect and block requests containing script payloads.
  • Monitor web server logs for suspicious script injection attempts and block offending IP addresses.
  • Contact the vendor again, citing the publicly released exploit, and request a formal fix; involve external security experts if necessary.

Generated by OpenCVE AI on April 1, 2026 at 06:27 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 02 Apr 2026 20:30:00 +0000

Type Values Removed Values Added
First Time appeared Z-9527
Z-9527 admin
Vendors & Products Z-9527
Z-9527 admin

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 01 Apr 2026 04:00:00 +0000

Type Values Removed Values Added
Description A security flaw has been discovered in z-9527 admin 1.0/2.0. Affected is an unknown function of the file /server/routes/message.js of the component Message Create Endpoint. Performing a manipulation results in cross site scripting. The attack can be initiated remotely. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.
Title z-9527 admin Message Create Endpoint message.js cross site scripting
Weaknesses CWE-79
CWE-94
References
Metrics cvssV2_0

{'score': 4, 'vector': 'AV:N/AC:L/Au:S/C:N/I:P/A:N/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 3.5, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 3.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 5.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Z-9527 Admin
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-04-01T15:50:24.439Z

Reserved: 2026-03-31T16:11:40.802Z

Link: CVE-2026-5252

cve-icon Vulnrichment

Updated: 2026-04-01T15:43:11.611Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-04-01T04:17:11.457

Modified: 2026-04-01T14:23:37.727

Link: CVE-2026-5252

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-02T20:18:30Z

Weaknesses