CVE-2026-1136
Unknown Unknown - Not Provided
Cross-Site Scripting in BootDo ContentController Save Function

Publication date: 2026-01-19

Last updated on: 2026-04-29

Assigner: VulDB

Description
A weakness has been identified in lcg0124 BootDo up to e93dd428ef6f5c881aa74d49a2099ab0cf1e0fcb. Affected is the function Save of the file /blog/bContent/save of the component ContentController. This manipulation of the argument content/author/title causes cross site scripting. Remote exploitation of the attack is possible. The exploit has been made available to the public and could be used for attacks. This product follows a rolling release approach for continuous delivery, so version details for affected or updated releases are not provided.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-01-19
Last Modified
2026-04-29
Generated
2026-06-16
AI Q&A
2026-01-19
EPSS Evaluated
2026-06-15
NVD
CVE-2026-1136
EUVD
EUVD-2026-3243
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
lcg0124 bootdo to e93dd428ef6f5c881aa74d49a2099ab0cf1e0fcb (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
CWE-94 The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-1136 is a reflected Cross-Site Scripting (XSS) vulnerability in the BootDo software, specifically in the save function of the ContentController component at the /blog/bContent/save endpoint. The vulnerability occurs because the application does not properly filter or encode user inputs in the 'content', 'author', and 'title' parameters. This allows attackers to inject malicious scripts that are executed in the browsers of users who view the affected pages. No authentication is required to exploit this flaw, making it easily accessible. Exploitation can lead to execution of arbitrary JavaScript, potentially resulting in unauthorized access to user accounts, session hijacking, theft of sensitive data, webpage defacement, and compromise of website integrity. [1, 2, 3]

Impact Analysis

This vulnerability can impact you by allowing attackers to execute malicious scripts in the browsers of your users. This can lead to unauthorized access to user accounts, session hijacking, theft of sensitive information, defacement of your website, and overall compromise of your website's integrity. Such impacts can harm user privacy, damage business reputation, and disrupt normal business operations. [1, 2]

Detection Guidance

This vulnerability can be detected by testing the /blog/bContent/save endpoint for reflected Cross-Site Scripting (XSS) by injecting script payloads such as `<script>alert(123)</script>` into the 'content', 'author', or 'title' parameters and observing if the script executes or is reflected unsanitized. You can use tools like curl or browser-based testing to send HTTP POST requests with these parameters. For example, a curl command to test might be: `curl -X POST -d "content=<script>alert(123)</script>&author=test&title=test" https://your-bootdo-instance/blog/bContent/save` and then check if the response contains the injected script unencoded. Additionally, automated vulnerability scanners that test for reflected XSS can be used against this endpoint. [1, 2]

Mitigation Strategies

Immediate mitigation steps include: 1) Encoding all user-generated content before rendering it on web pages by converting special characters like `<`, `>`, and `&` into their HTML entity equivalents (`&lt;`, `&gt;`, `&amp;`) to prevent script execution. 2) Implementing strict input validation and filtering to ensure that inputs for 'content', 'author', and 'title' conform to expected formats and do not contain malicious scripts. 3) Deploying a Content Security Policy (CSP) to restrict the sources from which scripts can be executed, thereby reducing the impact of any injected scripts. 4) Conducting regular security audits of code and systems to identify and address vulnerabilities promptly. If possible, consider replacing the affected product with a secure alternative or applying patches when available. [1, 2]

Compliance Impact

The vulnerability allows attackers to execute malicious scripts that can lead to unauthorized access to user accounts, session hijacking, and theft of sensitive data. Such impacts pose significant risks to user privacy and data protection, which can result in non-compliance with regulations like GDPR and HIPAA that mandate safeguarding personal and sensitive information. Therefore, this vulnerability negatively affects compliance with these common standards and regulations by exposing sensitive data to potential breaches. [1, 2]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-1136. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart