CVE-2026-7596 - Vulnerability Details

- nextlevelbuilder ui-ux-pro-max-skill Slide Generator generate-slide.py data.get cross site scripting

Description

A vulnerability has been found in nextlevelbuilder ui-ux-pro-max-skill up to 2.5.0. Affected by this issue is the function data.get of the file .claude/skills/design-system/scripts/generate-slide.py of the component Slide Generator. Such manipulation leads to cross site scripting. The attack may be performed from remote. The exploit has been disclosed to the public and may be used. The project was informed of the problem early through a pull request but has not reacted yet.

Published: 2026-05-01

Score: 5.3 Medium

EPSS: n/a

KEV: No

Impact:

Action:

Analysis

Impact

A cross‑site scripting flaw exists in the data.get function of the Slide Generator component of NextLevelBuilder UI‑UX Pro Max Skill. The flaw allows malicious input to be injected into the generated slide output, causing the browser to execute attacker‑controlled scripts. According to the description, the attack can be performed remotely and has already been disclosed publicly, indicating that attackers could leverage this to compromise user sessions, exfiltrate data, or perform social‑engineering attacks within the application.

Affected Systems

NextLevelBuilder UI‑UX Pro Max Skill – the Slide Generator module – is affected for all releases up to and including version 2.5.0. Users running these or older builds should review their deployment to determine whether the component is exposed to untrusted input sources.

Risk and Exploitability

The CVSS score of 5.3 classifies the vulnerability as moderate, and the EPSS score is not available, suggesting no known detection of widespread automated exploitation yet. The vulnerability is not listed in the CISA KEV catalog. The attacker requires remote access to supply crafted input to the data.get endpoint; the flaw is exploitable through a standard web interface that ingests slide content. Given the public disclosure and lack of immediate vendor response, the risk to environments that rely on untrusted input remains significant.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

nextlevelbuilder

ui-ux-pro-max-skill

affected

Version	Status	Constraints
`2.0`	affected	—
`2.1`	affected	—
`2.2`	affected	—
`2.3`	affected	—
`2.4`	affected	—
`2.5.0`	affected	—

No data.

No data available yet.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade NextLevelBuilder UI‑UX Pro Max Skill to a version newer than 2.5.0 that contains the XSS fix.
Until an official patch is released, modify the data.get implementation or the slide rendering logic to properly escape or sanitize all user‑supplied data before it is injected into the DOM.
Restrict access to the Slide Generator interface to trusted users only and validate input on the client side to reduce the attack surface.

Generated by OpenCVE AI on May 1, 2026 at 22:46 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

Attack Vector Network

Attack Complexity Low

Privileges Required None

Attack Requirements None

User Interaction Passive

Vulnerable System Confidentiality Impact None

Vulnerable System Integrity Impact Low

Vulnerable System Availability Impact None

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact None

User Interaction Required

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact None

User Interaction Required

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact None

Integrity Impact Partial

Availability Impact None

This CVE is not in the KEV list.

No EPSS score available.

Exploitation poc

Automatable no

Technical Impact partial

References

Link	Providers
https://github.com/nextlevelbuilder/ui-ux-pro-max-skill/
https://github.com/nextlevelbuilder/ui-ux-pro-max-skill/issues/247
https://github.com/nextlevelbuilder/ui-ux-pro-max-skill/pull/274
https://vuldb.com/submit/805510
https://vuldb.com/vuln/360549
https://vuldb.com/vuln/360549/cti

History

Sat, 02 May 2026 02:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Fri, 01 May 2026 21:15:00 +0000

Type	Values Removed	Values Added
Description		A vulnerability has been found in nextlevelbuilder ui-ux-pro-max-skill up to 2.5.0. Affected by this issue is the function data.get of the file .claude/skills/design-system/scripts/generate-slide.py of the component Slide Generator. Such manipulation leads to cross site scripting. The attack may be performed from remote. The exploit has been disclosed to the public and may be used. The project was informed of the problem early through a pull request but has not reacted yet.
Title		nextlevelbuilder ui-ux-pro-max-skill Slide Generator generate-slide.py data.get cross site scripting
Weaknesses		CWE-79 CWE-94
References		https://github.com/nextlevelbuilder/ui-ux-pro-max-skill/ https://github.com/nextlevelbuilder/ui-ux-pro-max-skill/issues/247 https://github.com/nextlevelbuilder/ui-ux-pro-max-skill/pull/274 https://vuldb.com/submit/805510 https://vuldb.com/vuln/360549 https://vuldb.com/vuln/360549/cti
Metrics		cvssV2_0 `{'score': 5, 'vector': 'AV:N/AC:L/Au:N/C:N/I:P/A:N/E:POC/RL:ND/RC:UR'}` cvssV3_0 `{'score': 4.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R'}` cvssV3_1 `{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R'}` cvssV4_0 `{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P'}`

Subscriptions

No data.

MITRE

Status: PUBLISHED

Assigner: VulDB

Published: 2026-05-01T21:00:19.576Z

Updated: 2026-05-02T01:23:29.311Z

Reserved: 2026-05-01T09:49:04.611Z

Link: CVE-2026-7596

Vulnrichment

Updated: 2026-05-02T01:23:24.496Z

NVD

Status : Received

Published: 2026-05-01T21:16:18.300

Modified: 2026-05-02T02:16:00.947

Link: CVE-2026-7596

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-05-01T23:00:14Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Attack Requirements None

User Interaction Passive

Vulnerable System Confidentiality Impact None

Vulnerable System Integrity Impact Low

Vulnerable System Availability Impact None

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact None

User Interaction Required

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact None

User Interaction Required

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact None

Integrity Impact Partial

Availability Impact None

Exploitation poc

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object