CVE-2026-12202
Deferred Deferred - Pending Action
Cross-Site Scripting in Subrion CMS via Blocks Endpoint

Publication date: 2026-06-15

Last updated on: 2026-06-16

Assigner: VulDB

Description
A vulnerability has been found in Intelliants Subrion CMS up to 4.0.3. Affected by this issue is some unknown functionality of the component Blocks Endpoint. Such manipulation of the argument CSS class name leads to cross site scripting. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-15
Last Modified
2026-06-16
Generated
2026-06-17
AI Q&A
2026-06-15
EPSS Evaluated
2026-06-16
NVD
CVE-2026-12202
EUVD
EUVD-2026-36677
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
intelliants subrion_cms to 4.0.3 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
CWE-94 The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability is a Stored Cross-Site Scripting (XSS) issue found in the Subrion CMS application, specifically in the Blocks endpoint. The problem arises because the CSS class name field is not properly validated or sanitized. Attackers can inject malicious scripts into this field, which are then stored on the server and executed automatically when accessed.

For example, an attacker can add a payload like "><img src=x onerror=alert('CVE-Hunters2')>" into the CSS class name field when editing or adding a block in the admin dashboard. This malicious script will then run in the context of users who view the affected content.

Impact Analysis

This vulnerability can have several severe impacts including:

  • Stealing session cookies, which can allow attackers to hijack user sessions.
  • Downloading malware onto users' devices.
  • Hijacking browsers to perform unauthorized actions.
  • Stealing credentials and other sensitive information.
  • Defacing websites, damaging reputation and trust.
Detection Guidance

This vulnerability can be detected by attempting to inject a malicious payload into the CSS class name field of the Blocks endpoint in the Subrion CMS admin dashboard. Specifically, you can try adding or editing a block and inserting a payload such as "><img src=x onerror=alert('CVE-Hunters2')>" into the CSS class name field and then saving it.

If the payload executes (for example, an alert box appears), it confirms the presence of the stored cross-site scripting vulnerability.

There are no specific network commands provided, but detection involves interacting with the web application interface where the Blocks endpoint is accessible.

Mitigation Strategies

Immediate mitigation steps include avoiding the use of the vulnerable Blocks endpoint or refraining from adding or editing blocks with untrusted input in the CSS class name field.

Since the vendor has not responded or provided a patch, it is recommended to implement input validation and sanitization on the CSS class name field to prevent injection of malicious scripts.

Additionally, restrict administrative access to trusted users only and monitor for any suspicious activity related to block editing.

Compliance Impact

The vulnerability is a Stored Cross-Site Scripting (XSS) issue in the Subrion CMS Blocks endpoint that allows attackers to inject malicious scripts. This can lead to stealing session cookies, hijacking browsers, stealing credentials, and obtaining sensitive information.

Such impacts can potentially affect compliance with common standards and regulations like GDPR and HIPAA, which require protection of personal data and sensitive information from unauthorized access and breaches.

However, the provided information does not explicitly state or analyze how this specific vulnerability affects compliance with these standards.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-12202. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart