CVE-2026-30162
Cross-Site Scripting in Timo 2.0.3 via Title Field
Publication date: 2026-03-26
Last updated on: 2026-03-31
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| auntvt | timo | 2.0.3 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-30162 is an HTML injection vulnerability in Timo version 2.0.3 that arises from insufficient sanitization of user input in the title field.
Although the application uses Jsoup for HTML sanitization with a relaxed whitelist allowing certain HTML tags and attributes, user-supplied HTML content is directly outputted on the page without adequate encoding or filtering.
This flaw enables attackers to inject arbitrary HTML elements, including crafted links, which can be used for malicious purposes such as phishing attacks.
How can this vulnerability impact me? :
This vulnerability can allow attackers to inject malicious HTML content into the application, potentially leading to phishing attacks by tricking users into clicking harmful links.
It may also enable attackers to manipulate the displayed content, which can damage the trustworthiness of the application and expose users to further security risks.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection of this vulnerability involves identifying if the Timo 2.0.3 application improperly renders user-supplied HTML content without sufficient sanitization or encoding, particularly in the title field or other input fields that accept HTML.
One practical approach is to test the application by submitting crafted inputs containing HTML tags or scripts in the title or other input fields and observing if these inputs are reflected in the output without proper sanitization.
Example commands using curl to test for the vulnerability by injecting HTML in the title field could be:
- curl -X POST "http://target-url/" -d "title=<script>alert('XSS')</script>"
- curl -G "http://target-url/" --data-urlencode "title=<a href='http://malicious.com'>link</a>"
After sending such requests, inspect the response in the browser or via command line tools to see if the injected HTML is rendered or executed, indicating the presence of the vulnerability.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include ensuring that all user-supplied input, especially in the title field and other HTML-accepting inputs, is properly sanitized and encoded before rendering.
Specifically, review and strengthen the HTML sanitization configuration in Timo 2.0.3, avoiding the use of relaxed whitelists that allow potentially dangerous tags or attributes.
Disallow or strictly limit HTML tags and attributes that can lead to script execution, and ensure that event handler attributes (like onclick, onerror) and dangerous protocols (like javascript:) are fully blocked.
If possible, update or patch the application to a version where this vulnerability is fixed or apply custom sanitization logic that encodes or escapes HTML entities in user inputs.
Additionally, consider implementing Content Security Policy (CSP) headers to reduce the impact of any injected scripts.