Cross-Site Scripting Vulnerability in HTMLy by Danpros
CVE-2026-38949

8.9HIGH

Key Information:

Vendor: Danpros
Status: HTMLy
Vendor: CVE Published:; 28 April 2026

What is CVE-2026-38949?

An exploitable Cross-Site Scripting (XSS) vulnerability in HTMLy version 3.1.1, specifically within the content creation functionality at the /add/content?type=image endpoint, allows attackers to inject arbitrary code due to insufficient sanitization of user input. This security flaw poses significant risks, enabling potential malicious actions that compromise the integrity of the application and user data.

References

https://github.com/danpros/htmly

https://youtu.be/3e-tzUMCox8

https://github.com/Chittu13/cve-research/blob/main/CVE-20...

CVSS V3.1

Score:

8.9

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

Required

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 28, 2026
Vulnerability Reserved
Apr 6, 2026

CVE-2026-38949 Data

JSON