CVE-2026-44956
Received Received - Intake
Stored XSS in Userlog System via Email Content

Publication date: 2026-06-23

Last updated on: 2026-06-23

Assigner: HackerOne

Description
Low‑privileged users could use their Full Name as a vector for a stored XSS attack. The name is included in system‑generated emails, whose content is stored in the details field of the userlog table. An admin user viewing the email content through userlog-details.php would have any malicious JavaScript payload executed due to missing output sanitisation. Proper escaping has been added to the userlog details output.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-23
Last Modified
2026-06-23
Generated
2026-06-23
AI Q&A
2026-06-23
EPSS Evaluated
N/A
NVD
CVE-2026-44956
EUVD
EUVD-2026-38508
Affected Vendors & Products
Currently, no data is known.
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability allows low-privileged users to exploit their Full Name field as a vector for a stored Cross-Site Scripting (XSS) attack. The Full Name is included in system-generated emails, and the email content is stored in the userlog table. When an admin user views this email content through a specific interface (userlog-details.php), any malicious JavaScript embedded in the Full Name is executed because the output is not properly sanitized.

The issue has been addressed by adding proper escaping to the userlog details output to prevent execution of malicious scripts.

Impact Analysis

This vulnerability could allow an attacker with low privileges to execute malicious JavaScript code in the context of an admin user viewing the userlog details. This could lead to unauthorized actions performed by the admin user, such as session hijacking, data theft, or other malicious activities that rely on executing scripts in the admin's browser.

Mitigation Strategies

To mitigate this vulnerability, ensure that proper escaping and output sanitisation are applied to the userlog details output, especially in userlog-details.php where system-generated emails including user Full Names are displayed.

Restrict the ability of low-privileged users to input malicious scripts in their Full Name field, and review the system to confirm that the patch or update addressing this issue has been applied.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-44956. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart