CVE-2026-4846
Received Received - Intake
Cross-Site Scripting in dameng100 muucmf autoReply.html

Publication date: 2026-03-26

Last updated on: 2026-04-29

Assigner: VulDB

Description
A vulnerability has been found in dameng100 muucmf 1.9.5.20260309. The affected element is an unknown function of the file channel/admin.Account/autoReply.html. Such manipulation of the argument keyword leads to cross site scripting. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-26
Last Modified
2026-04-29
Generated
2026-06-16
AI Q&A
2026-03-26
EPSS Evaluated
2026-06-15
NVD
CVE-2026-4846
EUVD
EUVD-2026-16120
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
dameng100 muucmf 1.9.5.20260309
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
CWE-94 The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

The vulnerability is a reflected Cross-Site Scripting (XSS) issue that allows remote attackers to inject arbitrary JavaScript code, potentially compromising user sessions and data integrity.

Such vulnerabilities can impact compliance with standards like GDPR and HIPAA because they may lead to unauthorized access or manipulation of personal or sensitive data, violating requirements for data protection and security.

However, the provided information does not explicitly detail the direct effects on compliance with these regulations.

Impact Analysis

This vulnerability can impact you by allowing a remote attacker to execute arbitrary JavaScript code in the context of your browser session when you access a maliciously crafted URL.

Such an attack can lead to theft of sensitive information, session hijacking, or other malicious actions performed on behalf of the victim.

The vulnerability has a high severity score (CVSS 3.1 base score of 8.8), indicating significant potential impact on confidentiality, integrity, and availability.

Executive Summary

CVE-2026-4846 is a Reflected Cross-Site Scripting (XSS) vulnerability found in MuuCmf T6 CMS version 1.9.5.20260309. It exists in the endpoint /channel/admin.Account/autoReply.html via the keyword parameter.

Specifically, user input from the keyword parameter is directly inserted into the value attribute of an input tag without any filtering or sanitization. This allows a remote attacker to inject arbitrary JavaScript code.

When a victim accesses a crafted URL containing the malicious keyword parameter, the injected script executes in the context of their browser session.

Detection Guidance

This vulnerability can be detected by testing the endpoint `/channel/admin.Account/autoReply.html` for reflected cross-site scripting (XSS) via the `keyword` parameter.

A common detection method is to send a crafted HTTP request with an XSS payload in the `keyword` parameter and observe if the payload is executed or reflected unsanitized in the response.

  • Use curl to send a test request with a simple XSS payload, for example: curl -i "http://<target>/channel/admin.Account/autoReply.html?keyword=<script>alert(1)</script>"
  • Use a web proxy or browser developer tools to inspect the response and check if the script tag is reflected without sanitization.
  • Alternatively, use automated web vulnerability scanners that support XSS detection targeting the specific URL and parameter.
Mitigation Strategies

Immediate mitigation steps include sanitizing and validating user input on the `keyword` parameter to prevent injection of malicious scripts.

Since the vendor has not responded, consider implementing a Web Application Firewall (WAF) rule to block or filter requests containing suspicious script tags or typical XSS payloads targeting the vulnerable endpoint.

Restrict access to the affected URL `/channel/admin.Account/autoReply.html` if possible, especially from untrusted networks.

Educate users to avoid clicking on suspicious links that may exploit this vulnerability.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-4846. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart