{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/vendors/nukeviet/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["NukeViet CMS"],"_cs_severities":["high"],"_cs_tags":["xss","stored-xss","nukeviet","cve-2026-41147"],"_cs_type":"advisory","_cs_vendors":["NukeViet"],"content_html":"\u003cp\u003eNukeViet CMS version 4.5.08 and earlier contains a stored cross-site scripting (XSS) vulnerability (CVE-2026-41147) due to insufficient server-side input sanitization within the Request class. The application\u0026rsquo;s reliance on client-side filtering for HTML input allows attackers to bypass security measures by directly modifying HTTP requests, for example using tools like Burp Suite. This vulnerability impacts modules accepting user-submitted HTML through the Request class, allowing attackers to inject malicious payloads that are stored server-side and subsequently executed in the browsers of users viewing the compromised content. The Contact module was identified as a proof-of-concept, though other modules are also susceptible. No authentication is required to exploit the vulnerability.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker identifies a NukeViet CMS instance running a vulnerable version (\u0026lt;= 4.5.08).\u003c/li\u003e\n\u003cli\u003eThe attacker locates an input field (e.g., in the Contact module) that utilizes the Request class for processing HTML content.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious XSS payload, such as \u003ccode\u003e\u0026lt;iframe srcdoc=\u0026quot;\u0026amp;lt;img src=1 onerror=alert(document.cookie)\u0026amp;gt;\u0026quot;\u0026gt;\u0026lt;/iframe\u0026gt;\u003c/code\u003e, designed to execute JavaScript code in the victim\u0026rsquo;s browser.\u003c/li\u003e\n\u003cli\u003eThe attacker intercepts the HTTP request containing the form submission (e.g., using Burp Suite) and modifies the request to inject the crafted XSS payload into the vulnerable input field.\u003c/li\u003e\n\u003cli\u003eThe server stores the attacker\u0026rsquo;s payload in the database.\u003c/li\u003e\n\u003cli\u003eA user (e.g., an administrator or moderator) views the content containing the stored XSS payload.\u003c/li\u003e\n\u003cli\u003eThe user\u0026rsquo;s browser executes the malicious JavaScript code embedded in the iframe.\u003c/li\u003e\n\u003cli\u003eThe attacker gains unauthorized access to the user\u0026rsquo;s session cookies, performs actions under the victim\u0026rsquo;s identity, defaces the website, redirects the user to a phishing page, or performs phishing attacks.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability can lead to various adverse outcomes. Administrators and moderators are at risk when viewing user-submitted content containing malicious payloads. The vulnerability can result in session hijacking via cookie theft, unauthorized actions performed under the victim\u0026rsquo;s identity, defacement of the website, redirection to phishing pages, and phishing attacks via manipulated email notifications. This vulnerability allows unauthenticated attackers to inject arbitrary JavaScript code into the application, affecting all users who interact with the stored payload.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade to NukeViet version 4.5.08 or later to patch CVE-2026-41147 as recommended by the vendor.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect NukeViet XSS Payload\u0026rdquo; to identify potential exploitation attempts targeting the Request class via HTTP POST requests.\u003c/li\u003e\n\u003cli\u003eImplement server-side HTML sanitization in the Request class to strip or encode potentially harmful tags and attributes as a general security measure.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-15T16:47:05Z","date_published":"2026-05-15T16:47:05Z","id":"https://feed.craftedsignal.io/briefs/2026-05-nukeviet-xss/","summary":"NukeViet CMS version 4.5.08 and earlier is vulnerable to stored cross-site scripting (XSS) via insufficient server-side input sanitization in the Request class, allowing attackers to inject malicious payloads that can lead to session hijacking, defacement, and phishing attacks.","title":"NukeViet CMS Stored XSS Vulnerability via Insufficient Input Sanitization (CVE-2026-41147)","url":"https://feed.craftedsignal.io/briefs/2026-05-nukeviet-xss/"}],"language":"en","title":"CraftedSignal Threat Feed — NukeViet","version":"https://jsonfeed.org/version/1.1"}