Vendor
Two filter-bypass techniques in NukeViet\Core\Request allow a low-privileged user with news-posting permission to store and execute arbitrary JavaScript in the browsers of any visitor to an affected page, leading to session cookie theft, credential harvesting, defacement, and further privilege escalation via CVE-2026-54064.