CVE-2026-25144
Unknown Unknown - Not Provided
Stored XSS in Talishar Chat Allows Remote Script Execution

Publication date: 2026-02-02

Last updated on: 2026-02-02

Assigner: GitHub, Inc.

Description
Talishar is a fan-made Flesh and Blood project. A Stored XSS exists in the chat in-game system. The playerID parameter in SubmitChat.php and is saved without sanitization and executed whenever a user view the current page game. This vulnerability is fixed by 09dd00e5452e3cd998eb1406a88e5b0fa868e6b4.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-02
Last Modified
2026-02-02
Generated
2026-06-16
AI Q&A
2026-02-03
EPSS Evaluated
2026-06-15
NVD
CVE-2026-25144
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
unknown_vendor talishar to 09dd00e5452e3cd998eb1406a88e5b0fa868e6b4 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability is a Stored Cross-Site Scripting (XSS) in the chat system of the fan-made Flesh and Blood project called Talishar. Specifically, the playerID parameter in the SubmitChat.php file is saved without proper sanitization and is executed whenever a user views the current game page, allowing malicious scripts to run.

Impact Analysis

The vulnerability can allow attackers to inject malicious scripts into the chat system, which will execute in the browsers of users viewing the game page. This can lead to unauthorized actions such as session hijacking, defacement, or other malicious activities impacting the integrity of the user experience.

Mitigation Strategies

Apply the fix identified by commit 09dd00e5452e3cd998eb1406a88e5b0fa868e6b4 which sanitizes the playerID parameter in SubmitChat.php to prevent Stored XSS. Until the fix is applied, avoid using or exposing the vulnerable chat system to untrusted users.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-25144. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart