CVE-2026-7596
Cross-Site Scripting in UI-UX-Pro-Max-Skill
Publication date: 2026-05-01
Last updated on: 2026-05-05
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| nextlevelbuilder | ui-ux-pro-max-skill | to 2.5.0 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
| CWE-94 | The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in the nextlevelbuilder ui-ux-pro-max-skill software up to version 2.5.0. It affects the function data.get in the file .claude/skills/design-system/scripts/generate-slide.py, which is part of the Slide Generator component. The issue allows an attacker to perform cross-site scripting (XSS) attacks by manipulating this function.
The attack can be carried out remotely, and the exploit has already been publicly disclosed. Although the project was informed early through a pull request, no fix has been implemented yet.
How can this vulnerability impact me? :
This vulnerability can lead to cross-site scripting (XSS) attacks, which may allow an attacker to inject malicious scripts into web pages viewed by other users. This can result in unauthorized actions performed on behalf of users, theft of sensitive information such as cookies or session tokens, and potential compromise of user accounts.
Since the attack can be performed remotely and requires no privileges, it poses a risk to any user interacting with the affected component.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability is a stored Cross-Site Scripting (XSS) issue that allows malicious JavaScript code injection into slide content, which can lead to execution of unauthorized scripts when the slides are viewed.
Such XSS vulnerabilities can enable attackers to perform actions like cookie theft, session hijacking, phishing, keylogging, and credential harvesting.
These impacts can compromise the confidentiality and integrity of user data, potentially violating data protection regulations such as GDPR and HIPAA that require safeguarding personal and sensitive information against unauthorized access and breaches.
Therefore, the presence of this vulnerability may lead to non-compliance with these standards due to the risk of data exposure and unauthorized data manipulation.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability is a stored Cross-Site Scripting (XSS) issue in the Slide Generator component of the ui-ux-pro-max-skill project, specifically in the data.get function calls that embed user-controlled data into HTML without proper escaping.
Detection involves identifying if any generated HTML slide decks contain unescaped user input that could execute JavaScript code when opened in a browser.
You can detect potential exploitation by scanning generated HTML files for suspicious script tags or event handlers injected via user input fields such as title, problem, solution, metrics, chart, testimonial, or CTA URLs.
Suggested commands include using grep or similar tools to search for suspicious patterns in generated HTML files, for example:
- grep -E '<script|onerror|javascript:' path/to/generated/slides/*.html
- grep -r --include='*.html' -iE '(<script|onerror|javascript:)' path/to/generated/slides/
Additionally, manual inspection or automated scanning tools that detect XSS payloads in HTML files can be used to confirm the presence of malicious code.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation involves applying proper HTML escaping and URL validation to all user-controlled data embedded in the Slide Generator's output.
Specifically, implement HTML escaping for all data.get() calls in the slide generator functions to prevent injection of executable code.
Validate URL schemes in user inputs to allow only safe schemes such as http://, https://, #, and /, blocking javascript: or other dangerous schemes.
If you are using the affected versions (up to 2.5.0), update to a fixed version or apply the patch from the pull request that introduces helper functions _e() for HTML escaping and _safe_url() for URL validation.
Until a fix is applied, avoid opening generated slide decks from untrusted sources or inputs, as they may contain malicious scripts.