CVE-2026-54219
Deferred Deferred - Pending Action
Stored XSS in UBB.threads via User Posts and Profile Fields

Publication date: 2026-06-18

Last updated on: 2026-06-18

Assigner: CERT.PL

Description
UBB.threads is vulnerable to Stored XSS via user posts and user profile fields. The application fails to properly sanitize user input, allowing low privileged attackers to inject arbitrary JavaScript that executes in a victim's browser upon viewing. Because vendor contact attempts were unsuccessful, the vulnerability has only been confirmed in version 7.7.5 but may also affect other versions.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-18
Last Modified
2026-06-18
Generated
2026-06-19
AI Q&A
2026-06-18
EPSS Evaluated
N/A
NVD
CVE-2026-54219
EUVD
EUVD-2026-37882
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
ubbt_threads ubbt_threads From 7.7.5 (exc)
ubb_systems ubb.threads to 7.7.5 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-54219 is a stored cross-site scripting (XSS) vulnerability in UBB.threads forum software, confirmed in version 7.7.5. It occurs because the application fails to properly sanitize user input in posts and profile fields, allowing low-privileged attackers to inject malicious JavaScript code.

When a victim views the infected content, the injected JavaScript executes in their browser, potentially leading to unauthorized actions.

Impact Analysis

This vulnerability can lead to unauthorized actions performed in the victim's browser, data theft, or session hijacking.

  • Attackers can steal sensitive information from users.
  • Attackers can hijack user sessions to impersonate victims.
  • Malicious scripts can perform actions on behalf of the victim without their consent.
Detection Guidance

This vulnerability involves stored cross-site scripting (XSS) in user posts and profile fields of UBB.threads software. Detection typically involves inspecting user-generated content for injected JavaScript code.

Since the vulnerability manifests when malicious scripts are stored and executed in browsers, network detection might include monitoring HTTP responses for suspicious script tags or unusual JavaScript payloads in user posts or profiles.

Specific commands are not provided in the available resources. However, common approaches include using web vulnerability scanners that detect stored XSS or manually searching the database or web content for suspicious script tags.

Mitigation Strategies

Immediate mitigation steps include restricting user input to prevent injection of JavaScript code, such as applying strict input validation and output encoding on user posts and profile fields.

Since no official patch was available at the time of disclosure and vendor contact attempts were unsuccessful, administrators should consider disabling or limiting user-generated content features temporarily or applying web application firewall (WAF) rules to block malicious scripts.

Monitoring and educating users about suspicious activity can also help reduce the impact until a patch or official fix is released.

Compliance Impact

The stored cross-site scripting (XSS) vulnerability in UBB.threads allows attackers to inject malicious JavaScript that can execute in a victim's browser, potentially leading to unauthorized actions, data theft, or session hijacking.

Such unauthorized access and data theft could result in violations of data protection regulations like GDPR or HIPAA, which require safeguarding personal and sensitive information against unauthorized access and breaches.

Therefore, this vulnerability may negatively impact compliance with these standards by exposing user data to risk through insufficient input sanitization and inadequate protection against cross-site scripting attacks.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-54219. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart