Product
A stored cross-site scripting (XSS) vulnerability, CVE-2026-49259, exists in NukeViet CMS versions 4.x through 4.5.08, including the 'composer/nukeviet/nukeviet' package prior to version 4.5.09, which allows a low-privileged authenticated user to inject JavaScript into their profile's display name fields that executes in the browser of any visitor, including administrators, who clicks the 'Reply' link on a comment posted by the attacker, leading to arbitrary JavaScript execution, administrative session hijacking, credential phishing, and data exfiltration.