Low severity3.5NVD Advisory· Published Jan 19, 2026· Updated Apr 29, 2026

CVE-2026-1136

Description

A weakness has been identified in lcg0124 BootDo up to e93dd428ef6f5c881aa74d49a2099ab0cf1e0fcb. Affected is the function Save of the file /blog/bContent/save of the component ContentController. This manipulation of the argument content/author/title causes cross site scripting. Remote exploitation of the attack is possible. The exploit has been made available to the public and could be used for attacks. This product follows a rolling release approach for continuous delivery, so version details for affected or updated releases are not provided.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

BootDo ContentController save method lacks XSS filtering, enabling unauthenticated reflected XSS via content/author/title parameters in /blog/bContent/save.

Vulnerability

Overview

A reflected cross-site scripting (XSS) vulnerability exists in the BootDo system, affecting the Save method of the ContentController class, located in the endpoint /blog/bContent/save [1]. The vulnerability is present in the product as of commit e93dd428ef6f5c881aa74d49a2099ab0cf1e0fcb. The application fails to sanitize user-supplied input to the content, author, and title parameters before rendering them in responses, allowing an attacker to inject arbitrary HTML or JavaScript [1].

Exploitation and

Attack Surface

Remote exploitation is possible without authentication or special network access, making the attack surface broad [1]. An attacker only needs to craft a malicious link or request containing a script payload in one of the vulnerable parameters and deliver it to a target user who has access to the BootDo application. The target's browser then executes the injected script, as the server returns the unescaped payload in the page [1]. The exploit has been publicly disclosed, increasing the risk of active attacks.

Impact

Successful exploitation can lead to session hijacking, credential theft, defacement of web pages, and compromise of the application's integrity [1]. An attacker can perform actions on behalf of the victim, access or exfiltrate sensitive data, and further pivot within the application if the user's session is sufficiently privileged [1].

Mitigation

Status

BootDo follows a rolling release model, and no specific patched version has been officially announced [1]. The recommended mitigations are to encode all user-generated output before display, implement strict input validation and server-side filtering, and deploy a Content Security Policy to restrict script execution [1]. Organizations using BootDo should apply these measures and monitor for official updates.

References

BootDo System /blog/bContent/save xss vulnerability

AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

News mentions

No linked articles in our index yet.

Severity

LowCVSS v3.1

3.5/ 10

CVSS v42.0

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack vector: Network
Complexity: Low
Privileges: Low
User interaction: Required
Scope: Unchanged
Confidentiality: None
Integrity: Low
Availability: None

Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N

EPSS

Probability of exploitation in the next 30 days.

0.01%

VYPR risk score

Composite of severity, exploitation, and reach.

0.23low

cvss	0.227
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000

Weaknesses

CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CWE-94
Improper Control of Generation of Code ('Code Injection')

CVE ID

CVE-2026-1136

Credits

T(
Tom132432 (VulDB User)
reporter