Stored Cross Site Scripting Vulnerability in Skyworth Router
Description
This vulnerability exist in Skyworth Router CM5100, version 4.1.1.24, due to insufficient validation of user supplied input for the DDNS Username parameter at its web interface. A remote attacker could exploit this vulnerability by supplying specially crafted input to the parameter at the web interface of the vulnerable targeted system.
Successful exploitation of this vulnerability could allow the attacker to perform stored XSS attacks on the targeted system.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Stored XSS vulnerability in Skyworth Router CM5100 via insufficient validation of DDNS Username parameter allows remote attackers to execute arbitrary scripts.
Vulnerability
A stored cross-site scripting (XSS) vulnerability exists in the Skyworth Router CM5100, version 4.1.1.24. The web interface fails to properly validate user-supplied input for the DDNS Username parameter, allowing an attacker to inject arbitrary HTML or JavaScript code that is stored on the device and later executed in the context of an administrator's browser [1].
Exploitation
An unauthenticated remote attacker can exploit this vulnerability by sending a specially crafted HTTP request to the router's web interface, targeting the DDNS Username field. The malicious payload is stored and subsequently rendered when an administrator accesses the affected configuration page, triggering the XSS [1].
Impact
Successful exploitation enables the attacker to execute arbitrary JavaScript in the administrator's browser session. This can lead to session hijacking, defacement of the router's web interface, or further compromise of the device and network [1].
Mitigation
As of the publication date, no official firmware update has been released to address this vulnerability. Users are advised to monitor the vendor's support channels for patches and, as a workaround, disable the DDNS feature if not required. The vulnerability is not currently listed in CISA's Known Exploited Vulnerabilities catalog [1].
AI Insight generated on May 25, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Range: =4.1.1.24
- Hathway/Skyworth Router CM5100v5Range: 0
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
1News mentions
0No linked articles in our index yet.