CVE-2026-36521
Deferred Deferred - Pending Action

Cross Site Scripting (XSS) in PublicCMS Site Configuration

Vulnerability report for CVE-2026-36521, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-06-15

Last updated on: 2026-06-16

Assigner: MITRE

Description

PublicCMS V5.202506.d has a Cross Site Scripting (XSS) vulnerability in the site configuration management module.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-15
Last Modified
2026-06-16
Generated
2026-07-06
AI Q&A
2026-06-15
EPSS Evaluated
2026-07-04
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
publiccms publiccms 5.202506.d

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-36521 is a Cross Site Scripting (XSS) vulnerability in PublicCMS version V5.202506.d, specifically in the site configuration management module of the backend.

An attacker who has logged into the backend can navigate to the Settings, then Site Configuration Management, select an entry, and click Modify Configuration Item. They can add a new row and insert malicious JavaScript code in the description field.

When the attacker saves the changes and returns to Site Configuration Management, triggering the modified entry by selecting Modify Configuration Item causes the malicious script to execute. This allows remote attackers to inject and run arbitrary scripts within the context of the affected application.

Detection Guidance

This vulnerability can be detected by verifying if the PublicCMS backend site configuration management module is vulnerable to Cross Site Scripting (XSS) attacks. Specifically, an authenticated user can test by logging into the backend, navigating to Settings, then Site Configuration Management, selecting an entry, and clicking Modify Configuration Item.

A test can be performed by adding a new row in the configuration item and inserting a JavaScript payload in the description field. After saving, if selecting Modify Configuration Item triggers the execution of the injected script, the vulnerability is present.

There are no specific network commands provided to detect this vulnerability automatically.

Impact Analysis

This vulnerability allows an attacker to execute arbitrary JavaScript code within the context of the affected application.

Such execution can lead to unauthorized actions such as stealing session cookies, defacing the site, redirecting users to malicious sites, or performing actions on behalf of legitimate users.

Because the vulnerability requires backend login access, the attacker must have some level of authorized access, but once exploited, it can compromise the integrity and security of the site configuration and potentially the entire application.

Mitigation Strategies

To mitigate the Cross Site Scripting (XSS) vulnerability in PublicCMS V5.202506.d, immediately restrict backend access to trusted users only.

Avoid modifying or adding new configuration items in the Site Configuration Management module until a patch or fix is available.

Implement input validation and sanitization on the description field in the configuration management module to prevent injection of malicious scripts.

Monitor backend activity for suspicious modifications or unexpected script executions.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-36521. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart