NukeViet CMS Stored XSS Vulnerability via Insufficient Input Sanitization (CVE-2026-41147)

NukeViet CMS version 4.5.08 and earlier contains a stored cross-site scripting (XSS) vulnerability (CVE-2026-41147) due to insufficient server-side input sanitization within the Request class. The application’s reliance on client-side filtering for HTML input allows attackers to bypass security measures by directly modifying HTTP requests, for example using tools like Burp Suite. This vulnerability impacts modules accepting user-submitted HTML through the Request class, allowing attackers to inject malicious payloads that are stored server-side and subsequently executed in the browsers of users viewing the compromised content. The Contact module was identified as a proof-of-concept, though other modules are also susceptible. No authentication is required to exploit the vulnerability.

Attack Chain

1. An attacker identifies a NukeViet CMS instance running a vulnerable version (<= 4.5.08).
2. The attacker locates an input field (e.g., in the Contact module) that utilizes the Request class for processing HTML content.
3. The attacker crafts a malicious XSS payload, such as <iframe srcdoc="&lt;img src=1 onerror=alert(document.cookie)&gt;"></iframe>, designed to execute JavaScript code in the victim’s browser.
4. The attacker intercepts the HTTP request containing the form submission (e.g., using Burp Suite) and modifies the request to inject the crafted XSS payload into the vulnerable input field.
5. The server stores the attacker’s payload in the database.
6. A user (e.g., an administrator or moderator) views the content containing the stored XSS payload.
7. The user’s browser executes the malicious JavaScript code embedded in the iframe.
8. The attacker gains unauthorized access to the user’s session cookies, performs actions under the victim’s identity, defaces the website, redirects the user to a phishing page, or performs phishing attacks.

Impact

Successful exploitation of this vulnerability can lead to various adverse outcomes. Administrators and moderators are at risk when viewing user-submitted content containing malicious payloads. The vulnerability can result in session hijacking via cookie theft, unauthorized actions performed under the victim’s identity, defacement of the website, redirection to phishing pages, and phishing attacks via manipulated email notifications. This vulnerability allows unauthenticated attackers to inject arbitrary JavaScript code into the application, affecting all users who interact with the stored payload.

Recommendation

• Upgrade to NukeViet version 4.5.08 or later to patch CVE-2026-41147 as recommended by the vendor.
• Deploy the Sigma rule “Detect NukeViet XSS Payload” to identify potential exploitation attempts targeting the Request class via HTTP POST requests.
• Implement server-side HTML sanitization in the Request class to strip or encode potentially harmful tags and attributes as a general security measure.