CVE-2026-36521
Received Received - Intake
Cross Site Scripting (XSS) in PublicCMS Site Configuration

Publication date: 2026-06-15

Last updated on: 2026-06-15

Assigner: MITRE

Description
PublicCMS V5.202506.d has a Cross Site Scripting (XSS) vulnerability in the site configuration management module.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-15
Last Modified
2026-06-15
Generated
2026-06-16
AI Q&A
2026-06-15
EPSS Evaluated
N/A
NVD
CVE-2026-36521
EUVD
EUVD-2026-36746
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
publiccms publiccms 5.202506.d
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Detection Guidance

This vulnerability can be detected by verifying if the PublicCMS backend site configuration management module is vulnerable to Cross Site Scripting (XSS) attacks. Specifically, an authenticated user can test by logging into the backend, navigating to Settings, then Site Configuration Management, selecting an entry, and clicking Modify Configuration Item.

A test can be performed by adding a new row in the configuration item and inserting a JavaScript payload in the description field. After saving, if selecting Modify Configuration Item triggers the execution of the injected script, the vulnerability is present.

There are no specific network commands provided to detect this vulnerability automatically.

Executive Summary

CVE-2026-36521 is a Cross Site Scripting (XSS) vulnerability in PublicCMS version V5.202506.d, specifically in the site configuration management module of the backend.

An attacker who has logged into the backend can navigate to the Settings, then Site Configuration Management, select an entry, and click Modify Configuration Item. They can add a new row and insert malicious JavaScript code in the description field.

When the attacker saves the changes and returns to Site Configuration Management, triggering the modified entry by selecting Modify Configuration Item causes the malicious script to execute. This allows remote attackers to inject and run arbitrary scripts within the context of the affected application.

Impact Analysis

This vulnerability allows an attacker to execute arbitrary JavaScript code within the context of the affected application.

Such execution can lead to unauthorized actions such as stealing session cookies, defacing the site, redirecting users to malicious sites, or performing actions on behalf of legitimate users.

Because the vulnerability requires backend login access, the attacker must have some level of authorized access, but once exploited, it can compromise the integrity and security of the site configuration and potentially the entire application.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-36521. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart