CVE-2026-5249
Cross-Site Scripting in Gougucms Record Endpoint Allows Remote Attack
Publication date: 2026-04-01
Last updated on: 2026-04-29
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| gougucms | gougucms | 4.08.18 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
| CWE-94 | The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-5249 is a Blind Cross-Site Scripting (Blind XSS) vulnerability found in Gougu CMS version 4.08.18. It occurs in the Record Endpoint component, specifically in the file \gougucms-master\app\admin\view\user\record.html. The vulnerability allows a low-privileged user to inject malicious JavaScript code into the system by manipulating the argument value.content. This malicious code is stored in the database and later executed in the browser of an administrator or highly authenticated user when they view the affected records or activity logs in the backend dashboard.
The root cause is the lack of input validation and output encoding: the user-controlled content is directly appended to the HTML DOM using jQuery without sanitization, allowing embedded scripts to run. This can lead to unauthorized script execution in an administrator's browser context.
How can this vulnerability impact me? :
This vulnerability can have serious impacts including theft of administrative session cookies and unauthorized administrative actions. When an attacker injects malicious scripts, these scripts execute in the administrator's browser, potentially allowing the attacker to hijack the administrator's session or perform actions with administrative privileges without authorization.
Such impacts can compromise the security and integrity of the system, leading to further exploitation, data breaches, or unauthorized changes within the CMS.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by testing for stored cross-site scripting (XSS) payloads in the gougucms 4.08.18 application, specifically targeting the /admin/user/record endpoint where user input is stored and later rendered without sanitization.
A practical detection method involves injecting a benign XSS payload such as <script>alert(document.cookie)</script> or <img src=x onerror=alert(1)> into any user input fields that affect the record endpoint, then monitoring if the payload executes when an administrator views the records.
For network detection, monitoring HTTP requests to the /admin/user/record endpoint for suspicious payloads or unusual input patterns can help identify exploitation attempts.
Suggested commands for testing might include using curl or similar tools to submit payloads, for example:
- curl -X POST -d "value.content=<script>alert(document.cookie)</script>" https://targetsite/admin/user/record
- Observe the admin interface for execution of the injected script when viewing records.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include preventing the execution of malicious scripts by implementing proper input validation and output encoding on the value.content field in the /admin/user/record endpoint.
Since the vulnerability arises from unsanitized user input being appended directly to the DOM, applying strict sanitization or escaping of HTML special characters before rendering is critical.
Additionally, restricting or monitoring user input that can be stored and later rendered in administrative views can reduce risk.
As an immediate workaround, limit access to the affected administrative pages to trusted users only and consider disabling or restricting the record viewing functionality until a patch or fix is available.
Finally, keep an eye out for vendor updates or patches, and apply them as soon as they become available.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows an attacker to perform stored cross-site scripting (XSS) attacks that can lead to theft of administrative session cookies and unauthorized administrative actions.
Such unauthorized access and potential compromise of administrative accounts can result in exposure or misuse of sensitive personal data managed by the system.
This exposure and unauthorized access could lead to non-compliance with data protection regulations such as GDPR and HIPAA, which require protection of personal data and secure administrative controls.