Description
A vulnerability was found in Qibo CMS 1.0. Affected by this vulnerability is an unknown functionality of the component Internal Message Module. Performing a manipulation results in cross site scripting. The attack can be initiated remotely. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way.
Published: 2026-04-20
Score: 5.1 Medium
EPSS: n/a
KEV: No
Impact: Cross-site scripting
Action: Apply Patch
AI Analysis

Impact

A flaw in the internal Message Module of Qibo CMS 1.0 allows an attacker to inject arbitrary script or HTML when manipulating messages, resulting in cross‑site scripting when the affected user views it. The vulnerability is exploitable through normal web requests and can execute code within the victim’s browser context.

Affected Systems

Qibo CMS 1.0, specifically the internal Message Module. The vendor, Qibo, has not issued a fix and has not responded to the disclosed vulnerability.

Risk and Exploitability

The CVSS score of 5.1 indicates moderate severity, and while the EPSS score is not available, the exploit has been made public, suggesting that attackers can readily target the vulnerability. The flaw can be triggered remotely, and the lack of a vendor fix or KEV listing increases the risk of ongoing exploitation. Given the remote nature of the attack vector, any user who views a crafted message could have their browser session hijacked or other malicious actions performed. The CVE description does not specify authentication requirements, implying that the vulnerability may affect all users who access the affected functionality.

Generated by OpenCVE AI on April 20, 2026 at 15:05 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Deploy a web application firewall to filter or block malicious payloads in the internal message module.
  • Apply any vendor‑issued patch or update as soon as it becomes available.
  • Restrict or disable the internal message feature for untrusted users, or sanitize input to neutralise XSS payloads.

Generated by OpenCVE AI on April 20, 2026 at 15:05 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 20 Apr 2026 15:15:00 +0000

Type Values Removed Values Added
First Time appeared Qibo
Qibo cms
Vendors & Products Qibo
Qibo cms
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 20 Apr 2026 13:15:00 +0000

Type Values Removed Values Added
Description A vulnerability was found in Qibo CMS 1.0. Affected by this vulnerability is an unknown functionality of the component Internal Message Module. Performing a manipulation results in cross site scripting. The attack can be initiated remotely. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way.
Title Qibo CMS Internal Message cross site scripting
Weaknesses CWE-79
CWE-94
References
Metrics cvssV2_0

{'score': 4, 'vector': 'AV:N/AC:L/Au:S/C:N/I:P/A:N/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 3.5, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 3.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 5.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Qibo Cms
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-04-20T14:51:00.368Z

Reserved: 2026-04-20T05:38:49.068Z

Link: CVE-2026-6648

cve-icon Vulnrichment

Updated: 2026-04-20T14:50:49.699Z

cve-icon NVD

Status : Received

Published: 2026-04-20T13:16:11.647

Modified: 2026-04-20T13:16:11.647

Link: CVE-2026-6648

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-20T15:15:09Z

Weaknesses