Description
A security vulnerability has been detected in welovemedia FFmate up to 2.0.15. Affected by this issue is some unknown functionality of the file /ui/app/components/AppJsonTreeView.vue of the component Webhook Handler. The manipulation leads to cross site scripting. The attack may be initiated remotely. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
Published: 2026-04-01
Score: 5.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Cross-site scripting
Action: Assess Impact
AI Analysis

Impact

A flaw in the AppJsonTreeView component of welovemedia FFmate allows remote attackers to inject arbitrary script via a manipulation of input to the Webhook Handler, leading to cross-site scripting. The disclosure shows that an attacker could run malicious client-side code within a user’s browser session, potentially stealing session data or performing other malicious client actions. The vulnerability stems from reflected input handling failures (CWE‑79) and improper code execution pathways (CWE‑94). The evidence that the attack can be initiated remotely means an unauthenticated attacker can supply crafted requests to the vulnerable endpoint without needing privileged access.

Affected Systems

The affected product is welovemedia FFmate, specifically the Webhook Handler component located in /ui/app/components/AppJsonTreeView.vue. Versions up to and including 2.0.15 are vulnerable; no further version information is provided.

Risk and Exploitability

The CVSS score of 5.1 indicates moderate severity. Exploit code is publicly available and the vulnerability can be triggered remotely, increasing the likelihood of abuse. Although the EPSS score is not listed and the issue is not in the CISA KEV catalog, the combination of a moderate CVSS score with a publicly disclosed exploit advises security teams to treat this as a notable threat. An attacker can deliver malicious scripts that execute in the context of any user who interacts with the vulnerable component, potentially leading to session hijacking or defacement.

Generated by OpenCVE AI on April 1, 2026 at 06:26 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Verify the installed FFmate version and ensure it is later than 2.0.15; if a patch or newer release is available, apply it immediately
  • If no official update exists, consider disabling or restricting the Webhook Handler component until a fix is released
  • Deploy a web application firewall rule to block reflected XSS payloads against the vulnerable endpoint
  • Monitor application logs for anomalous requests that may target the AppJsonTreeView component
  • Reach out again to welovemedia to request an official fix or response
  • Implement general XSS hardening measures, such as context‑aware escaping of user input

Generated by OpenCVE AI on April 1, 2026 at 06:26 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 02 Apr 2026 20:30:00 +0000

Type Values Removed Values Added
First Time appeared Welovemedia
Welovemedia ffmate
Vendors & Products Welovemedia
Welovemedia ffmate

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 01 Apr 2026 05:00:00 +0000

Type Values Removed Values Added
Description A security vulnerability has been detected in welovemedia FFmate up to 2.0.15. Affected by this issue is some unknown functionality of the file /ui/app/components/AppJsonTreeView.vue of the component Webhook Handler. The manipulation leads to cross site scripting. The attack may be initiated remotely. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
Title welovemedia FFmate Webhook AppJsonTreeView.vue cross site scripting
Weaknesses CWE-79
CWE-94
References
Metrics cvssV2_0

{'score': 4, 'vector': 'AV:N/AC:L/Au:S/C:N/I:P/A:N/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 3.5, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 3.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 5.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Welovemedia Ffmate
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-04-01T11:46:56.167Z

Reserved: 2026-03-31T16:15:53.686Z

Link: CVE-2026-5254

cve-icon Vulnrichment

Updated: 2026-04-01T11:46:51.294Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-04-01T05:15:59.983

Modified: 2026-04-01T14:23:37.727

Link: CVE-2026-5254

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-02T20:18:28Z

Weaknesses