{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/nukeviet--4.6.00/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["NukeViet (\u003c 4.6.00)"],"_cs_severities":["high"],"_cs_tags":["xss","web-vulnerability","cms","cross-site-scripting","filter-bypass"],"_cs_type":"advisory","_cs_vendors":["Vinades"],"content_html":"\u003cp\u003eA critical vulnerability, CVE-2026-54064, has been identified in NukeViet content management system versions prior to 4.6.00, specifically impacting the \u003ccode\u003eNukeViet\\Core\\Request\u003c/code\u003e class. This vulnerability allows a low-privileged authenticated user with news-posting permissions to execute stored Cross-Site Scripting (XSS) attacks. Two distinct filter bypass techniques enable attackers to inject arbitrary JavaScript: one involves prefixing HTML event handler attributes with a Form Feed character (\u003ccode\u003e\\x0C\u003c/code\u003e) to circumvent \u003ccode\u003efilterAttr()\u003c/code\u003e's \u003ccode\u003eon\u003c/code\u003e keyword check, and the other utilizes a decimal HTML entity (\u003ccode\u003e\u0026amp;#9;\u003c/code\u003e) for a tab character within \u003ccode\u003ejavascript:\u003c/code\u003e URIs to bypass \u003ccode\u003eunhtmlentities()\u003c/code\u003e's keyword filtering. These bypasses allow malicious scripts to be embedded in news articles, which are then rendered and executed in the browsers of any visitor, including administrators. This can lead to severe consequences such as session hijacking, credential theft, website defacement, and potential full system compromise, underscoring the importance of immediate patching.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker obtains low-privileged user credentials for a NukeViet instance, with permissions to post or edit news articles.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious payload, such as \u003ccode\u003e\u0026lt;img src=\u0026quot;x\u0026quot; %0Conerror=\u0026quot;alert('XSS')\u0026quot;\u0026gt;\u003c/code\u003e, intending to inject it into a news article's content.\u003c/li\u003e\n\u003cli\u003eAlternatively, the attacker crafts a Markdown-style link containing \u003ccode\u003ejav\u0026amp;#9;ascript:alert('XSS')\u003c/code\u003e, which is designed to bypass NukeViet's input sanitization.\u003c/li\u003e\n\u003cli\u003eThe attacker submits the crafted payload as part of the \u003ccode\u003ebodyhtml\u003c/code\u003e field when creating or updating a news article within the NukeViet CMS.\u003c/li\u003e\n\u003cli\u003eNukeViet's backend processing, specifically \u003ccode\u003eNukeViet\\Core\\Request::filterAttr()\u003c/code\u003e and \u003ccode\u003eNukeViet\\Core\\Request::unhtmlentities()\u003c/code\u003e, fails to correctly sanitize the input due to the identified filter bypasses.\u003c/li\u003e\n\u003cli\u003eThe unsanitized malicious HTML and JavaScript are persistently stored in the NukeViet database.\u003c/li\u003e\n\u003cli\u003eWhen any user, including an administrator, browses to the affected news article page, their web browser renders the malicious content.\u003c/li\u003e\n\u003cli\u003eThe embedded JavaScript executes within the victim's browser context, potentially leading to session cookie theft, credential harvesting, or other malicious actions, ultimately resulting in privilege escalation or further compromise.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe successful exploitation of this vulnerability grants an authenticated attacker with news-posting permissions the ability to inject persistent JavaScript into the NukeViet content management system. This JavaScript executes within the browser of any user who views the compromised news article, including highly privileged administrators. The primary consequences include session cookie theft, which can lead to account takeover, and credential harvesting through deceptive forms. Furthermore, attackers could deface the website, redirect users to malicious sites, or leverage the compromised administrator session to achieve further privilege escalation and potentially full control over the NukeViet installation and underlying server. This widespread impact on all visitors, coupled with the potential for administrative account compromise, poses a significant threat to data integrity and system security.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply the patch by updating NukeViet to version 4.6.00 or higher immediately to address CVE-2026-54064.\u003c/li\u003e\n\u003cli\u003eImplement robust web application firewall (WAF) rules to detect and block requests containing known XSS bypass techniques, such as the Form Feed character (\u003ccode\u003e%0C\u003c/code\u003e) within HTML attribute names or decimal HTML entities (\u003ccode\u003e\u0026amp;#9;\u003c/code\u003e) in \u003ccode\u003ejavascript:\u003c/code\u003e URIs, specifically referencing the patterns found in CVE-2026-54064.\u003c/li\u003e\n\u003cli\u003eEnable comprehensive logging of HTTP request bodies for web servers hosting NukeViet instances, where feasible, to capture full payload data for detection and forensic analysis of XSS attempts related to CVE-2026-54064.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-07-13T17:58:46Z","date_published":"2026-07-13T17:58:46Z","id":"https://feed.craftedsignal.io/briefs/2026-07-nukeviet-xss-bypass/","summary":"Two filter-bypass techniques in NukeViet\\Core\\Request allow a low-privileged user with news-posting permission to store and execute arbitrary JavaScript in the browsers of any visitor to an affected page, leading to session cookie theft, credential harvesting, defacement, and further privilege escalation via CVE-2026-54064.","title":"NukeViet Multiple Anti-XSS Filter Bypasses Leading to Stored XSS","url":"https://feed.craftedsignal.io/briefs/2026-07-nukeviet-xss-bypass/"},{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["NukeViet (\u003c 4.6.00)"],"_cs_severities":["high"],"_cs_tags":["path-traversal","arbitrary-file-deletion","web-vulnerability","cms"],"_cs_type":"advisory","_cs_vendors":["NukeViet"],"content_html":"\u003cp\u003eA high-severity path traversal vulnerability, tracked as CVE-2026-54065, affects NukeViet versions prior to 4.6.00. This flaw resides within the Edit Comment administrative function and can be exploited by an authenticated administrator. Attackers can leverage an unvalidated \u003ccode\u003eattach\u003c/code\u003e parameter in an HTTP POST request to inject path traversal sequences (e.g., \u003ccode\u003e../../\u003c/code\u003e) into the database. When a comment containing this malicious \u003ccode\u003eattach\u003c/code\u003e value is subsequently deleted, the \u003ccode\u003env_deletefile()\u003c/code\u003e function, which uses \u003ccode\u003erealpath()\u003c/code\u003e but lacks sufficient directory restriction, is tricked into deleting arbitrary files within the \u003ccode\u003eNV_ROOTDIR\u003c/code\u003e, such as \u003ccode\u003econfig.php\u003c/code\u003e. This can lead to a complete application outage and exposure of the installation wizard, severely impacting the availability and integrity of the affected NukeViet instance.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains or has access to administrator credentials for a NukeViet instance.\u003c/li\u003e\n\u003cli\u003eThe attacker logs into the NukeViet admin panel and navigates to the \u0026quot;Comment Management\u0026quot; section.\u003c/li\u003e\n\u003cli\u003eThe attacker intercepts the HTTP POST request made when editing an existing comment.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts the \u003ccode\u003eattach\u003c/code\u003e parameter in the POST request by prepending 26 arbitrary characters (e.g., \u003ccode\u003eaaaaaaaaaaaaaaaaaaaaaaaaaa\u003c/code\u003e) followed by a path traversal sequence leading to a critical file, such as \u003ccode\u003e../../config.php\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe vulnerable \u003ccode\u003esubstr()\u003c/code\u003e function processes this crafted \u003ccode\u003eattach\u003c/code\u003e parameter, effectively storing \u003ccode\u003e../../config.php\u003c/code\u003e into the database due to incorrect length calculation and lack of validation.\u003c/li\u003e\n\u003cli\u003eThe attacker then deletes the modified comment from the NukeViet admin panel.\u003c/li\u003e\n\u003cli\u003eDuring the comment deletion process, \u003ccode\u003edel.php\u003c/code\u003e retrieves the malicious \u003ccode\u003eattach\u003c/code\u003e value from the database and passes it to \u003ccode\u003env_deletefile()\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003env_deletefile()\u003c/code\u003e resolves the path to the target file (e.g., \u003ccode\u003econfig.php\u003c/code\u003e) using \u003ccode\u003erealpath()\u003c/code\u003e and proceeds to delete it from the application root, bypassing directory restrictions.\u003c/li\u003e\n\u003cli\u003eThe NukeViet application becomes inoperable due to the deletion of critical files like \u003ccode\u003econfig.php\u003c/code\u003e, immediately redirecting to the install wizard.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-54065 allows an authenticated administrator to permanently delete any file readable by the web server process within the NukeViet installation root directory (\u003ccode\u003eNV_ROOTDIR\u003c/code\u003e). The most significant impact is the deletion of \u003ccode\u003econfig.php\u003c/code\u003e, which renders the NukeViet application entirely inoperable and automatically redirects users to the installation wizard, signifying a complete loss of application availability. This vulnerability has a CVSS v3.1 score of 8.7 (High), indicating high impact on integrity and availability with high privileges required but low attack complexity.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003ePatch CVE-2026-54065 immediately by upgrading NukeViet to version 4.6.00 or later to ensure the \u003ccode\u003env_is_file()\u003c/code\u003e validation is applied to the \u003ccode\u003eattach\u003c/code\u003e parameter.\u003c/li\u003e\n\u003cli\u003eImplement web application firewall (WAF) rules to detect and block HTTP POST requests to \u003ccode\u003emodules/comment/admin/edit.php\u003c/code\u003e containing path traversal sequences (e.g., \u003ccode\u003e../\u003c/code\u003e, \u003ccode\u003e..%2f\u003c/code\u003e) within the \u003ccode\u003eattach\u003c/code\u003e parameter.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for HTTP POST requests to \u003ccode\u003emodules/comment/admin/edit.php\u003c/code\u003e that contain unusual or path-like values in the \u003ccode\u003eattach\u003c/code\u003e parameter, particularly those with repeated directory traversal sequences, using the Sigma rule provided in this brief.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-07-13T17:57:37Z","date_published":"2026-07-13T17:57:37Z","id":"https://feed.craftedsignal.io/briefs/2026-07-nukeviet-path-traversal/","summary":"An authenticated administrator in NukeViet is vulnerable to a path traversal flaw (CVE-2026-54065) in the Edit Comment admin function, allowing an attacker to inject a crafted `attach` parameter which, upon comment deletion, leads to arbitrary file deletion within the application root, causing a full application outage and exposing the install wizard.","title":"NukeViet: Path Traversal to Arbitrary File Deletion in Edit Comment Function","url":"https://feed.craftedsignal.io/briefs/2026-07-nukeviet-path-traversal/"}],"language":"en","title":"CraftedSignal Threat Feed - NukeViet (\u003c 4.6.00)","version":"https://jsonfeed.org/version/1.1"}