Description
UBB.threads is vulnerable to Reflected XSS. The application improperly handles user input in certain requests, enabling attackers to execute arbitrary JavaScript in the context of a victim's browser by tricking them into clicking a crafted link. 
Because vendor contact attempts were unsuccessful, the vulnerability has only been confirmed in version 7.7.5 but may also affect other versions.
Published: 2026-06-18
Score: 5.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a reflected cross‑site scripting flaw that allows attackers to embed arbitrary JavaScript in pages that are rendered in victims’ browsers when they follow a malicious link. The flaw exists because user input is incorporated into responses without proper validation or encoding, enabling malicious code to be executed with the victim’s session context.

Affected Systems

The flaw has been confirmed in the UBB.threads application version 7.7.5, produced by UBB Systems, and may also affect other, unverified releases of the same software.

Risk and Exploitability

The CVSS score of 5.1 indicates a moderate severity. Because the vulnerability is a reflected XSS that requires the victim to click a malicious link, the attack vector is cross‑site. The EPSS score is unavailable and the vulnerability is not listed in the CISA KEV catalog. Without an official patch, the risk arises only if an attacker can lure a user to the crafted URL; exploitation would result in arbitrary JavaScript running in the victim’s browser under the same origin as the site.

Generated by OpenCVE AI on June 18, 2026 at 20:25 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply any available vendor patch or upgrade to a newer version of UBB.threads that fixes the reflected XSS flaw.
  • Sanitize and encode all user‑supplied data that may be reflected back to browsers, ensuring that dangerous characters are escaped.
  • Deploy a Content Security Policy that restricts execution of inline scripts and disallows script injection.

Generated by OpenCVE AI on June 18, 2026 at 20:25 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sun, 21 Jun 2026 09:45:00 +0000

Type Values Removed Values Added
First Time appeared Ubb Systems
Ubb Systems ubb.threads
Vendors & Products Ubb Systems
Ubb Systems ubb.threads

Thu, 18 Jun 2026 16:45:00 +0000

Type Values Removed Values Added
Description UBB.threads is vulnerable to Reflected XSS. The application improperly handles user input in certain requests, enabling attackers to execute arbitrary JavaScript in the context of a victim's browser by tricking them into clicking a crafted link.  Because vendor contact attempts were unsuccessful, the vulnerability has only been confirmed in version 7.7.5 but may also affect other versions.
Title Reflected XSS in UBB.threads
Weaknesses CWE-79
References
Metrics cvssV4_0

{'score': 5.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Subscriptions

Ubb Systems Ubb.threads
cve-icon MITRE

Status: PUBLISHED

Assigner: CERT-PL

Published:

Updated: 2026-06-18T13:30:11.277Z

Reserved: 2026-06-12T11:03:23.916Z

Link: CVE-2026-54221

cve-icon Vulnrichment

Updated: 2026-06-18T13:29:57.168Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-20T22:56:13Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')