CVE-2026-49259

HIGHPre-NVD 8.78.7
EchelonGraph scoreLOW confidence

This high-severity CVE scores 8.7 under the CNA's CVSS (NVD's own analysis pending). EPSS exploit-prediction score not yet available (the EPSS model rescores nightly; freshly-published CVEs typically appear within 48 hours). GitHub Security Advisory data not yet ingested — confidence will rise once GHSA publishes (typical lag: hours to days for open-source ecosystem CVEs; never for infrastructure-only CVEs).

Triggered by: NVD CVSS baseline
Sources: cna:github_m
8.7
EchelonGraph verdictPlan a fixSerious severity, but no confirmed exploitation yet.
  • High severity, but no confirmed exploitation yet
CISA-KEV: Not listedEPSS: CVSS: 8.7Exploit: NoneExposed: 0

No vendor fix yet — apply a workaround or compensating control (WAF / firewall / segmentation) and watch for a patch.

NukeViet: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Summary

A stored cross-site scripting (XSS) vulnerability exists in NukeViet CMS versions 4.x through 4.5.08. A low-privileged authenticated user can store a JavaScript payload in their profile's display name fields. The payload executes in the browser of any visitor — including administrators — who clicks the Reply ("Answer") link on a comment posted by that user.

Affected Component

The {COMMENT.post_name} template variable is interpolated without JavaScript-context escaping into an inline onclick handler in both comment block positions:

  • themes/default/modules/comment/comment.tpl line 27 (top-level comments)
  • themes/default/modules/comment/comment.tpl line 64 (nested/reply comments)

onclick="nv_commment_feedback(event, {COMMENT.cid}, '{COMMENT.post_name}')"

Root Cause

The first_name and last_name profile fields are sanitized with HTML numeric character references ('', ((, )), //) via Request::_get_title() with $specialchars = true. This encoding is correct for plain HTML attribute and element contexts, but insufficient for a JavaScript string literal embedded inside an HTML attribute.

Browsers decode HTML entities in attribute values before the JavaScript engine parses the string. As a result, ' is decoded back to ', which terminates the JS string early and allows the remainder of the value to be executed as JavaScript.

The combined display name (nv_show_name_user(first_name, last_name)) is what reaches the template, giving an attacker up to ~200 encoded characters across both fields — sufficient for any practical payload.

Proof of Concept

Set first_name to the following value in profile settings (/index.php?nv=users&op=editinfo), then post any comment:

a');alert(document.domain);//

The value is stored as a');alert(document.domain);//.

When a visitor clicks the Reply link on the comment, the browser renders:

nv_commment_feedback(event, 1, 'a');alert(document.domain);// Tester')

causing alert(document.domain) to execute in the visitor's browser context.

A data-exfiltration variant (split across both name fields) navigates the victim's browser to an attacker-controlled URL carrying document.cookie as a query parameter. End-to-end verification was performed using a local listener.

Exploitation Conditions (default configuration)

| Condition | Default value | Effect | |---|---|---| | captcha_area_comm | 1 | No CAPTCHA for logged-in users — payload delivery requires no CAPTCHA solve | | auto_postcomm | enabled | Comments are published immediately without moderation | | active_editinfo_censor | 0 | Profile edits take effect immediately without admin review | | CSP script-src | 'unsafe-inline' | Inline onclick handlers execute normally |

Any registered member can set the payload and post a comment with no additional steps.

If captcha_area_comm is set to 0, the name field of anonymous comments (modules/comment/funcs/post.php) is processed by the same get_title(..., 1) call, making exploitation possible without authentication.

Impact

An attacker with a regular user account can execute arbitrary JavaScript in the browser of any visitor who interacts with the Reply button on their comment, including site administrators.

Practical consequences include:

  • Privilege escalation via admin session hijacking — forging administrative actions (content modification, account manipulation) in the context of an authenticated admin.
  • Credential phishing — injecting a fake login form into the page.
  • Data exfiltration — reading page content and non-HttpOnly cookies.

> Note: NukeViet session cookies carry the HttpOnly flag, so they are not directly readable via document.cookie; however, the above attack vectors remain fully viable.

Remediation

Preferred fix: Remove post_name from the inline handler entirely. Pass only cid to nv_commment_feedback and have the function retrieve the display name from the already-rendered DOM (e.g., the adjacent ` element).

Alternative fix: If the value must be passed inline, encode it with json_encode($post_name) (PHP) so that the output is a properly escaped JavaScript string literal, not an HTML-entity-encoded one. HTML numeric character references must not be relied upon for JavaScript string escaping.

As a general note, the result of get_title(..., $specialchars=true)` is safe for HTML element content and quoted HTML attribute values, but unsafe when placed inside a JavaScript string literal within an attribute. Other locations in the codebase using the same pattern should be audited.

Resources

  • OWASP: Cross Site Scripting Prevention — Rule 2: Attribute Encoding is Not Sufficient for JS Contexts
  • CWE-79: Improper Neutralization of Input During Web Page Generation
  • CWE-116: Improper Encoding or Escaping of Output

CVSS v3
8.7
EG Score
8.7(low)
EPSS
KEV
Not listed

Published

July 13, 2026

Last Modified

July 13, 2026

Vendor Advisories for CVE-2026-49259(1)

These vendors published their own advisory mentioning this CVE — often with vendor-specific remediation steps + affected product lists not in NVD.

Data Freshness Timeline

(refreshed 6× in last 7d / 6× in last 30d)

Each row is a source pipeline that fetched or updated this CVE on that date, with what changed. For example, "NVD update" means NVD published or revised its analysis for this CVE; "MITRE cvelistV5" means we ingested or refreshed it from the CNA feed. Most recent first.

  1. 2026-07-16 00:18 UTCEG score recompute
  2. 2026-07-15 13:29 UTCEG score recompute
  3. 2026-07-15 02:37 UTCEG score recompute
  4. 2026-07-14 15:46 UTCEG score recompute
  5. 2026-07-14 04:56 UTCEG score recompute
  6. 2026-07-13 18:07 UTCEG score recompute

Frequently asked(4)

What is CVE-2026-49259?
CVE-2026-49259 is a high vulnerability published on July 13, 2026. NukeViet: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Summary A stored cross-site scripting (XSS) vulnerability exists in NukeViet CMS versions 4.x through 4.5.08. A low-privileged authenticated user can store a JavaScript payload in their profile's display…
When was CVE-2026-49259 disclosed?
CVE-2026-49259 was first published in the National Vulnerability Database on July 13, 2026. EchelonGraph re-ingests CVE updates from NVD on a 2-hour cycle, so this page reflects the latest published state.
What is the CVSS score of CVE-2026-49259?
CVE-2026-49259 has a CVSS v4.0 base score of 8.7 (CNA self-assessment; NVD's own analysis pending). The EG score is currently aggregating — additional source signals are being incorporated as they become available..
How do I remediate CVE-2026-49259?
Patch to the fixed version published by the affected vendor. Where vendor advisories exist for CVE-2026-49259, EchelonGraph cross-links them in the Vendor Advisories panel below — those typically contain the canonical remediation steps, fixed version numbers, and any vendor-specific mitigations.

Dependency Blast Radius

Explore the affected products and dependency analysis for CVE-2026-49259

Explore →

Is Your Infrastructure Affected by CVE-2026-49259?

EchelonGraph automatically scans your cloud infrastructure and maps CVE exposure using blast radius analysis.