Executive Summary

CVE-2026-38949 is a Stored Cross-Site Scripting (XSS) vulnerability in HTMLy version 3.1.1, specifically in the content creation functionality at the /add/content?type=image endpoint.

The application fails to properly sanitize user input, allowing an attacker with low privileges to inject malicious JavaScript code into image post content.

This malicious code is stored and later executed when an administrator views the infected post, enabling the attacker to perform unauthorized actions such as stealing CSRF tokens and changing the administrator's password.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can lead to a complete compromise of the HTMLy application through administrator account takeover.

• An attacker with low privileges can inject malicious scripts that execute in the administrator's browser session.
• The attacker can steal the administrator's CSRF token and use it to bypass CSRF protections.
• Using the stolen token, the attacker can change the administrator's password and gain full control over the application.
• This results in persistent unauthorized access and potential further exploitation of the system.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by checking for the presence of malicious JavaScript payloads injected into the content field at the /add/content?type=image endpoint in HTMLy version 3.1.1. Specifically, look for image posts containing suspicious onerror event handlers that execute JavaScript.

One way to detect exploitation attempts is to monitor HTTP requests to the /add/content?type=image endpoint for POST requests containing suspicious payloads, such as <img src=x onerror=...> scripts.

Additionally, reviewing stored posts in the /admin/posts interface for unexpected JavaScript code in image content fields can help identify exploited posts.

Suggested commands for detection include using curl or similar tools to fetch and inspect posts or logs, for example:

• curl -X POST -d 'type=image&content=<payload>' https://your-htmly-site/add/content?type=image -- to test if payloads are accepted.
• grep -r '<img src=x onerror=' /path/to/htmly/content/ - to search stored content files for suspicious payloads.
• Monitor web server access logs for POST requests to /add/content?type=image containing suspicious JavaScript.

Useful 0 Not Useful 0

Mitigation Strategies

Immediate mitigation steps include restricting or disabling the content creation functionality at the /add/content?type=image endpoint to prevent injection of malicious scripts.

Ensure that only trusted and authenticated users have access to create or edit image posts.

Manually review and remove any posts containing suspicious JavaScript payloads in the content field.

If possible, update or patch HTMLy to a version that properly sanitizes user input in the content creation functionality.

As a temporary workaround, consider implementing web application firewall (WAF) rules to block requests containing suspicious JavaScript payloads targeting the vulnerable endpoint.

Advise administrators to avoid viewing untrusted posts until the vulnerability is resolved to prevent exploitation.

Useful 0 Not Useful 0

Compliance Impact

The vulnerability allows an attacker to perform an administrator account takeover through stored Cross-Site Scripting (XSS) and CSRF token abuse, leading to unauthorized access and control over the application.

Such unauthorized access and potential data compromise could negatively impact compliance with common standards and regulations like GDPR and HIPAA, which require protection of sensitive data and prevention of unauthorized access.

However, the provided information does not explicitly detail the direct effects on compliance or mention specific regulatory impacts.

Useful 0 Not Useful 0