CVE-2026-4847
Cross-Site Scripting in dameng100 muucmf /admin/config/list.html
Publication date: 2026-03-26
Last updated on: 2026-04-29
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| dameng100 | muucmf | 1.9.5.20260309 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
| CWE-94 | The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-4847 is a Reflected Cross-Site Scripting (XSS) vulnerability found in Muucmf T6 CMS version 1.9.5.20260309. It exists in the /admin/config/list.html endpoint via the "name" parameter.
The root cause is that user input is directly assigned to the value attribute of an input tag without any filtering or sanitization, allowing a remote attacker to inject arbitrary JavaScript code.
When a victim accesses a crafted URL containing the malicious "name" parameter, the injected script executes in their browser session.
How can this vulnerability impact me? :
This vulnerability allows attackers to execute arbitrary JavaScript in the context of the affected user's browser session.
- Attackers can hijack user sessions.
- Attackers can execute unauthorized scripts, potentially stealing sensitive information or performing actions on behalf of the user.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by testing the /admin/config/list.html endpoint for reflected cross-site scripting (XSS) via the "name" parameter.
A common method is to send a crafted HTTP request with an XSS payload in the "name" parameter and observe if the payload is reflected and executed in the response.
- Use curl or similar tools to send a request like: curl -v "http://<target>/admin/config/list.html?name=<script>alert(1)</script>"
- Check the response in a browser or with tools that render HTML to see if the script executes or is reflected unsanitized.
- Alternatively, use automated web vulnerability scanners that test for reflected XSS vulnerabilities on the specified endpoint.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include sanitizing and validating the "name" parameter input to prevent injection of malicious scripts.
If you have access to the source code, apply input filtering or encoding on the value assigned to the input tag in /admin/config/list.html to neutralize any script tags or special characters.
As a temporary measure, restrict access to the /admin/config/list.html endpoint to trusted users or IP addresses to reduce exposure.
Monitor for any suspicious activity or exploitation attempts targeting this endpoint.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
CVE-2026-4847 is a reflected Cross-Site Scripting (XSS) vulnerability that allows remote attackers to inject and execute arbitrary JavaScript in the context of a victim's browser session. This can lead to session hijacking and unauthorized actions.
Such vulnerabilities can impact compliance with standards like GDPR and HIPAA because they may lead to unauthorized access or disclosure of sensitive personal or health information, violating data protection and privacy requirements.
Specifically, the ability to execute unauthorized scripts can compromise the confidentiality and integrity of user data, which are core principles in these regulations.