Description
Taiko AG1000-01A SMS Alert Gateway Rev 7.3 and Rev 8 contains a stored cross-site scripting vulnerability in the embedded web configuration interface that allows authenticated attackers to execute persistent JavaScript by fragmenting malicious payloads across multiple administrative form fields. Attackers can bypass front-end length restrictions using JavaScript comments and template literals to concatenate executable script fragments that are rendered in administrative dashboard views such as index.zhtml, resulting in persistent script execution within administrative sessions.
Published: 2026-05-20
Score: 8.4 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Taiko AG1000‑01A SMS Alert Gateway Rev 7.3 and Rev 8 contain a stored cross‑site scripting vulnerability that permits an authenticated attacker to embed persistent JavaScript in the device’s web configuration interface by fragmenting payloads across multiple administrative form fields. The attacker can bypass front‑end length restrictions using JavaScript comments and template literals, causing executable script fragments to be rendered in administrative dashboard views such as index.zhtml, which results in persistent script execution within administrative sessions. Persistent execution enables the attacker to run arbitrary scripts within the admin session, potentially compromising administrative data or escalating privileges.

Affected Systems

The affected product is the Taiko Network Communications Pte Ltd. AG1000‑01A SMS Alert Gateway, available in revisions 7.3 and 8.

Risk and Exploitability

The CVSS score of 8.4 indicates high severity. EPSS score is not available, preventing a precise probability estimate, and the vulnerability is not yet listed in the CISA KEV catalog. Attackers need authenticated accounts and access to the web configuration interface, making the threat largely confined to environments where local or remote administrative access is possible. Intruder exploitation could lead to unauthorized script execution within the admin context, enabling data theft or further compromise of the device.

Generated by OpenCVE AI on May 20, 2026 at 21:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the AG1000‑01A firmware to a version that includes the vendor’s fix for the stored XSS issue.
  • Restrict access to the web configuration interface to trusted administrators, use a dedicated management VLAN or VPN, and enforce multi‑factor authentication.
  • Configure the device’s input validation and output encoding mechanisms to sanitize all admin‑supplied data, following CWE‑79 best practices, to prevent script injection.

Generated by OpenCVE AI on May 20, 2026 at 21:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 21 May 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 21 May 2026 08:45:00 +0000

Type Values Removed Values Added
First Time appeared Taiko
Taiko ag1000-01a Sms Alert Gateway
Vendors & Products Taiko
Taiko ag1000-01a Sms Alert Gateway

Wed, 20 May 2026 20:15:00 +0000

Type Values Removed Values Added
Description Taiko AG1000-01A SMS Alert Gateway Rev 7.3 and Rev 8 contains a stored cross-site scripting vulnerability in the embedded web configuration interface that allows authenticated attackers to execute persistent JavaScript by fragmenting malicious payloads across multiple administrative form fields. Attackers can bypass front-end length restrictions using JavaScript comments and template literals to concatenate executable script fragments that are rendered in administrative dashboard views such as index.zhtml, resulting in persistent script execution within administrative sessions.
Title Taiko AG1000-01A Rev 7.3/8 Stored XSS via Web Configuration Interface
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 7.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:L'}

cvssV4_0

{'score': 8.4, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N'}

Subscriptions

Taiko Ag1000-01a Sms Alert Gateway
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-05-21T14:09:22.452Z

Reserved: 2026-05-20T20:01:30.438Z

Link: CVE-2026-9144

cve-icon Vulnrichment

Updated: 2026-05-21T14:09:15.216Z

cve-icon NVD

Status : Deferred

Published: 2026-05-20T20:16:46.640

Modified: 2026-05-21T15:17:59.850

Link: CVE-2026-9144

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-21T08:18:40Z

Weaknesses