CVE-2026-9144
Stored XSS in Taiko AG1000-01A SMS Alert Gateway
Publication date: 2026-05-20
Last updated on: 2026-05-20
Assigner: VulnCheck
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| taiko | ag1000-01a_sms_alert_gateway | 7.3 |
| taiko | ag1000-01a_sms_alert_gateway | 8 |
| taiko | ag1000-01a_sms_alert_gateway | From 7.3 (inc) to 8 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided context and resources do not explicitly discuss the impact of CVE-2026-9144 on compliance with common standards and regulations such as GDPR or HIPAA.
Can you explain this vulnerability to me?
CVE-2026-9144 is a stored cross-site scripting (XSS) vulnerability in the Taiko AG1000-01A SMS Alert Gateway, specifically in versions Rev 7.3 and Rev 8. It exists in the embedded web configuration interface and allows authenticated attackers to execute persistent JavaScript code.
Attackers exploit this by fragmenting malicious payloads across multiple administrative form fields and bypassing front-end length restrictions using JavaScript comments and template literals. These script fragments are concatenated and rendered in administrative dashboard views such as index.zhtml, resulting in persistent script execution within administrative sessions.
How can this vulnerability impact me? :
This vulnerability allows authenticated attackers to execute persistent malicious JavaScript within the administrative interface of the Taiko AG1000-01A SMS Alert Gateway.
Such persistent script execution can lead to unauthorized actions within administrative sessions, potentially compromising the integrity and security of the system, stealing sensitive information, or manipulating administrative functions.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability is a stored cross-site scripting (XSS) issue in the embedded web configuration interface of the Taiko AG1000-01A SMS Alert Gateway. Detection involves verifying if malicious JavaScript payloads can be injected and persist in administrative dashboard views such as index.zhtml.
Since the vulnerability requires authenticated access and involves fragmented JavaScript payloads across multiple administrative form fields, detection can be performed by attempting to input specially crafted scripts using the web interface and observing if the scripts execute persistently in the admin dashboard.
No specific commands are provided in the available resources for automated detection or scanning.
What immediate steps should I take to mitigate this vulnerability?
The provided information does not include explicit mitigation steps or patches.
However, general best practices for mitigating stored XSS vulnerabilities include restricting administrative access, applying input validation and sanitization on all form fields, and monitoring for suspicious script execution within administrative sessions.
It is also advisable to check for vendor updates or patches addressing this vulnerability and apply them as soon as they become available.