CVE-2026-30162
Received Received - Intake
Cross-Site Scripting in Timo 2.0.3 via Title Field

Publication date: 2026-03-26

Last updated on: 2026-03-31

Assigner: MITRE

Description
Cross Site Scripting (xss) vulnerability in Timo 2.0.3 via crafted links in the title field.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-26
Last Modified
2026-03-31
Generated
2026-06-16
AI Q&A
2026-03-26
EPSS Evaluated
2026-06-14
NVD
CVE-2026-30162
EUVD
EUVD-2026-16187
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
auntvt timo 2.0.3
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-30162 is an HTML injection vulnerability in Timo version 2.0.3 that arises from insufficient sanitization of user input in the title field.

Although the application uses Jsoup for HTML sanitization with a relaxed whitelist allowing certain HTML tags and attributes, user-supplied HTML content is directly outputted on the page without adequate encoding or filtering.

This flaw enables attackers to inject arbitrary HTML elements, including crafted links, which can be used for malicious purposes such as phishing attacks.

Impact Analysis

This vulnerability can allow attackers to inject malicious HTML content into the application, potentially leading to phishing attacks by tricking users into clicking harmful links.

It may also enable attackers to manipulate the displayed content, which can damage the trustworthiness of the application and expose users to further security risks.

Detection Guidance

Detection of this vulnerability involves identifying if the Timo 2.0.3 application improperly renders user-supplied HTML content without sufficient sanitization or encoding, particularly in the title field or other input fields that accept HTML.

One practical approach is to test the application by submitting crafted inputs containing HTML tags or scripts in the title or other input fields and observing if these inputs are reflected in the output without proper sanitization.

Example commands using curl to test for the vulnerability by injecting HTML in the title field could be:

  • curl -X POST "http://target-url/" -d "title=<script>alert('XSS')</script>"
  • curl -G "http://target-url/" --data-urlencode "title=<a href='http://malicious.com'>link</a>"

After sending such requests, inspect the response in the browser or via command line tools to see if the injected HTML is rendered or executed, indicating the presence of the vulnerability.

Mitigation Strategies

Immediate mitigation steps include ensuring that all user-supplied input, especially in the title field and other HTML-accepting inputs, is properly sanitized and encoded before rendering.

Specifically, review and strengthen the HTML sanitization configuration in Timo 2.0.3, avoiding the use of relaxed whitelists that allow potentially dangerous tags or attributes.

Disallow or strictly limit HTML tags and attributes that can lead to script execution, and ensure that event handler attributes (like onclick, onerror) and dangerous protocols (like javascript:) are fully blocked.

If possible, update or patch the application to a version where this vulnerability is fixed or apply custom sanitization logic that encodes or escapes HTML entities in user inputs.

Additionally, consider implementing Content Security Policy (CSP) headers to reduce the impact of any injected scripts.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-30162. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart