Description
A weakness has been identified in bufanyun HotGo 1.0/2.0. Affected by this vulnerability is an unknown functionality of the file /web/src/layout/components/Header/MessageList.vue of the component editNotice Endpoint. Executing a manipulation can lead to cross site scripting. The attack can be launched remotely. The exploit has been made available to the public and could be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.
Published: 2026-04-01
Score: 5.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Cross‑Site Scripting (XSS)
Action: Apply Patch
AI Analysis

Impact

The vulnerability resides in HotGo 1.0/2.0 within MessageList.vue of the editNotice endpoint. By manipulating input to that component, an attacker can inject arbitrary JavaScript that executes in the context of victim browsers. This cross‑site scripting can lead to credential theft, session hijacking, or defacement. The flaw is a classic unsanitized input error, classified as CWE‑79.

Affected Systems

HotGo, open‑source project from bufanyun, was affected in its 1.0 and 2.0 releases. Any deployment that uses the editNotice feature and serves the MessageList.vue component remains vulnerable. Users should confirm their HotGo installation version and whether the component is active.

Risk and Exploitability

The CVSS base score of 5.1 indicates medium severity. No EPSS data is available, and the vulnerability is not listed in the CISA KEV catalog, but a publicly available exploit demonstrates that attackers can launch the attack remotely. Because the flaw arises from client‑side template rendering, it can be exploited by simply visiting a crafted URL, putting the risk within the attack surface for any authenticated or unauthenticated user who can reach the editNotice endpoint.

Generated by OpenCVE AI on April 1, 2026 at 05:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the patch supplied in the publicly available vulnerability repository (https://github.com/CC-T-454455/Vulnerabilities).
  • If patch cannot be applied, disable or remove the editNotice endpoint from the HotGo instance to block the vulnerable component.
  • Ensure input values rendered in MessageList.vue are properly escaped or sanitized to prevent script injection.
  • Update HotGo to a later major release if available, or apply any vendor‑issued fixes once released.
  • Monitor application logs and user activity for signs of XSS exploitation.

Generated by OpenCVE AI on April 1, 2026 at 05:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 02 Apr 2026 20:30:00 +0000

Type Values Removed Values Added
First Time appeared Bufanyun
Bufanyun hotgo
Vendors & Products Bufanyun
Bufanyun hotgo

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 01 Apr 2026 04:00:00 +0000

Type Values Removed Values Added
Description A weakness has been identified in bufanyun HotGo 1.0/2.0. Affected by this vulnerability is an unknown functionality of the file /web/src/layout/components/Header/MessageList.vue of the component editNotice Endpoint. Executing a manipulation can lead to cross site scripting. The attack can be launched remotely. The exploit has been made available to the public and could be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.
Title bufanyun HotGo editNotice Endpoint MessageList.vue cross site scripting
Weaknesses CWE-79
CWE-94
References
Metrics cvssV2_0

{'score': 4, 'vector': 'AV:N/AC:L/Au:S/C:N/I:P/A:N/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 3.5, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 3.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 5.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Bufanyun Hotgo
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-04-01T19:05:29.371Z

Reserved: 2026-03-31T16:13:21.226Z

Link: CVE-2026-5253

cve-icon Vulnrichment

Updated: 2026-04-01T19:05:25.211Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-04-01T04:17:12.690

Modified: 2026-04-01T14:23:37.727

Link: CVE-2026-5253

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-02T20:18:29Z

Weaknesses