CVE-2026-1151
Cross-Site Scripting in technical-laohu mpay User Center
Publication date: 2026-01-19
Last updated on: 2026-04-29
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| technical-laohu | mpay | to 1.2.4 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
| CWE-94 | The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-1151 is a stored Cross-Site Scripting (XSS) vulnerability in version 1.2.4 of the technical-laohu mpay application, specifically in the User Center component's username modification function. It occurs due to improper neutralization of user input in the Nickname argument, allowing remote attackers to inject malicious scripts that are persistently stored and executed when the affected page is loaded. This can lead to unauthorized script execution within users' browsers. [1, 2, 3]
How can this vulnerability impact me? :
Exploitation of this vulnerability can result in theft of sensitive user information, unauthorized modification of page content, and potential distribution of malware over an extended period. It poses significant risks to user privacy and can damage the reputation of the affected website. The attack requires user authentication and victim interaction but can be initiated remotely. [1, 2, 3]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection of this vulnerability involves checking for malicious script injections in the Nickname field within the User Center component or the username modification function in the administrative backend of the mpay application version 1.2.4. Since the vulnerability is a stored XSS, monitoring HTTP requests and responses for suspicious script tags or payloads in the Nickname parameter can help. Specific commands are not provided in the resources, but typical approaches include using web vulnerability scanners or manual inspection of input fields and stored data for script injections. [1, 2, 3]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include implementing input filtering on the frontend and applying HTML entity encoding to all data rendered back to the frontend to prevent execution of malicious scripts. Since no known countermeasures or patches currently exist, it is also suggested to consider replacing the affected product with an alternative. Monitoring and restricting user input in the Nickname field and administrative backend can reduce risk until a fix is applied. [1, 2]
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided resources do not explicitly discuss the impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA. However, since the vulnerability allows theft of sensitive user information and unauthorized tampering, it could potentially lead to non-compliance with data protection regulations that require safeguarding user data and privacy. No direct statements about compliance impact or regulatory consequences are given. [1, 3]