CVE-2026-27787
Received Received - Intake
Cross-Site Scripting in MATCHA SNS 1.3.9 Allows Script Execution

Publication date: 2026-04-08

Last updated on: 2026-04-17

Assigner: JPCERT/CC

Description
Cross-site scripting vulnerability exists in MATCHA SNS 1.3.9 and earlier. If this vulnerability is exploited, an arbitrary script may be executed on the web browser of the user who accessed the website using the product.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-08
Last Modified
2026-04-17
Generated
2026-06-16
AI Q&A
2026-04-08
EPSS Evaluated
2026-06-15
NVD
CVE-2026-27787
EUVD
EUVD-2026-20052
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
icz matcha_sns to 1.3.9 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-27787 is a cross-site scripting (XSS) vulnerability found in MATCHA SNS versions 1.3.9 and earlier.

This flaw allows authenticated users to inject malicious scripts into profile names or file names.

When other users access these profiles or files, the malicious scripts execute in their web browsers.

Compliance Impact

The vulnerability allows authenticated users to inject malicious scripts that can execute in other users' browsers, potentially leading to theft of cookies, account impersonation, and manipulation of page content.

Such unauthorized access and manipulation of user data could negatively impact compliance with data protection regulations like GDPR and HIPAA, which require safeguarding personal data and preventing unauthorized access.

However, the provided information does not explicitly discuss the impact of this vulnerability on compliance with these or other common standards and regulations.

Impact Analysis

Exploitation of this vulnerability can lead to theft of cookies from logged-in users.

This enables attackers to impersonate user accounts and manipulate page content.

Mitigation Strategies

To mitigate the CVE-2026-27787 cross-site scripting vulnerability in 抹茢SNS versions 1.3.9 and earlier, users should promptly update to 抹茢SNS version 1.3.10, which contains fixes preventing unauthorized script execution in users' browsers.

It is recommended to download the latest version from the official product download page and follow the upgrade instructions provided in the developer blog.

Additionally, users of the open-source version running on PHP 5.6 should consider migrating to the paid version supporting PHP 8.2 with enhanced security, as the open-source version is no longer officially supported for production.

Detection Guidance

This vulnerability is a cross-site scripting (XSS) issue in 抹茢SNS versions 1.3.9 and earlier, where authenticated users can inject malicious scripts into profile names or file names. Detection involves checking if your system is running an affected version of 抹茢SNS.

To detect the vulnerability on your system, first verify the version of 抹茢SNS installed. If it is version 1.3.9 or earlier, your system is vulnerable.

There are no specific commands provided in the resources to detect exploitation attempts or scan for this vulnerability directly.

A practical approach is to check the version by inspecting the application files or querying the application version via its interface or command line if supported.

Additionally, monitoring web traffic for suspicious script injections in profile names or file names could help detect exploitation attempts, but no specific commands or tools are mentioned.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-27787. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart