CVE-2026-44956
Summary
| CVE | CVE-2026-44956 |
|---|---|
| State | PUBLISHED |
| Assigner | hackerone |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2026-06-23 17:16:59 UTC |
| Updated | 2026-06-25 19:52:36 UTC |
| Description | Low‑privileged users could use their Full Name as a vector for a stored XSS attack. The name is included in system‑generated emails, whose content is stored in the details field of the userlog table. An admin user viewing the email content through userlog-details.php would have any malicious JavaScript payload executed due to missing output sanitisation. Proper escaping has been added to the userlog details output. |
Risk And Classification
Primary CVSS: v3.0 0 NONE from [email protected]
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N
EPSS: 0.003040000 probability, percentile 0.220800000 (date 2026-06-26)
Problem Types: CWE-79 | CWE-79 CWE-79 Cross-site Scripting (XSS) - Stored
| Version | Source | Type | Score | Severity | Vector |
|---|---|---|---|---|---|
| 3.0 | [email protected] | Secondary | 0 | NONE | CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N |
| 3.0 | CNA | DECLARED | 0 | NONE | CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N |
CVSS v3.0 Breakdown
Attack Vector
NetworkAttack Complexity
LowPrivileges Required
NoneUser Interaction
NoneScope
UnchangedConfidentiality
NoneIntegrity
NoneAvailability
NoneCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N
Vendor Declared Affected Products
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| hackerone.com/reports/3669623 | [email protected] | hackerone.com | |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
Vendor Comments And Credit
Discovery Credit
CNA: barcrange (3l4) (en)
There are currently no legacy QID mappings associated with this CVE.