Description
UBB.threads is vulnerable to Stored XSS via user posts and user profile fields. The application fails to properly sanitize user input, allowing low privileged attackers to inject arbitrary JavaScript that executes in a victim's browser upon viewing.

Because vendor contact attempts were unsuccessful, the vulnerability has only been confirmed in version 7.7.5 but may also affect other versions.
Published: 2026-06-18
Score: 5.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

UBB.threads contains a stored XSS flaw that allows a low‑privileged attacker to inject arbitrary JavaScript into posts and user profile fields. When a victim views the compromised content, the script runs in their browser, enabling cookie theft, session hijacking, or other malicious actions that compromise the confidentiality and integrity of user accounts.

Affected Systems

UBB Systems UBB.threads version 7.7.5 is confirmed vulnerable; other releases may also be affected, but no additional data is available.

Risk and Exploitability

The CVSS score of 5.1 indicates a moderate threat level, and the EPSS score is not available. The vulnerability is not listed in CISA's KEV catalog. Attackers can exploit the flaw from any user account that can create or edit posts or profile information. No special privileges or network access are required beyond normal user functionality. Given the absence of a vendor patch, the risk persists until a fix is deployed.

Generated by OpenCVE AI on June 18, 2026 at 19:45 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Revoke or restrict posting permissions to trusted administrators only, preventing low‑privileged users from creating or editing posts and profile content.
  • Configure the application to escape or filter all user‑supplied input before rendering it; ensure that HTML entities are properly encoded to neutralize scripts.
  • Deploy a Web Application Firewall or content‑filtering module to detect and block XSS payloads before they reach the browser.

Generated by OpenCVE AI on June 18, 2026 at 19:45 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sun, 21 Jun 2026 09:45:00 +0000

Type Values Removed Values Added
First Time appeared Ubb Systems
Ubb Systems ubb.threads
Vendors & Products Ubb Systems
Ubb Systems ubb.threads

Thu, 18 Jun 2026 16:45:00 +0000

Type Values Removed Values Added
Description UBB.threads is vulnerable to Stored XSS via user posts and user profile fields. The application fails to properly sanitize user input, allowing low privileged attackers to inject arbitrary JavaScript that executes in a victim's browser upon viewing. Because vendor contact attempts were unsuccessful, the vulnerability has only been confirmed in version 7.7.5 but may also affect other versions.
Title Stored XSS in UBB.threads
Weaknesses CWE-79
References
Metrics cvssV4_0

{'score': 5.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:L/SI:L/SA:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Subscriptions

Ubb Systems Ubb.threads
cve-icon MITRE

Status: PUBLISHED

Assigner: CERT-PL

Published:

Updated: 2026-06-18T13:31:59.555Z

Reserved: 2026-06-12T11:03:23.916Z

Link: CVE-2026-54219

cve-icon Vulnrichment

Updated: 2026-06-18T13:31:51.438Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-20T22:56:15Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')