Stored Cross-Site Scripting Vulnerability in NukeViet CMS by NukeViet
CVE-2026-41147

8.7HIGH

Key Information:

Vendor

Nukeviet

Status
Nukeviet
Vendor
CVE Published:
22 May 2026

What is CVE-2026-41147?

NukeViet CMS, a multi-purpose content management system, contains a Stored Cross-Site Scripting vulnerability in versions 4.5.07 and earlier due to inadequate server-side input sanitization in its Request class. This vulnerability allows attackers to inject malicious scripts, which can then be executed by users browsing the affected content. As client-side filters are easily bypassed by manipulating HTTP requests, anyone accessing user-submitted content—like administrators or regular anonymous users—could be impacted. The repercussions include session hijacking, unauthorized actions performed in the victim's context, and the possibility of phishing through manipulated notifications. Upgrade to version 4.5.08 is recommended to fix this issue, and immediate protective measures include implementing server-side sanitization and enforcing a robust Content Security Policy.

Affected Version(s)

nukeviet < 4.5.08

References

https://github.com/nukeviet/nukeviet/security/advisories/...
x_refsource_CONFIRM
https://github.com/nukeviet/nukeviet/commit/2a0860fbe22e2...
x_refsource_MISC
https://github.com/nukeviet/nukeviet/releases/tag/4.5.08
x_refsource_MISC

CVSS V3.1

Score:
8.7
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
Required
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.