CVE-2026-1183

Vulnerability

Overview

CVE-2026-1183 is an HTML injection vulnerability affecting multiple Botble products, including TransP, Athena, Martfury, and Homzen. The root cause is a lack of proper validation of user input when a request is sent to the '/search' endpoint using the 'q' parameter [1]. This allows an attacker to inject arbitrary HTML code into the application's response.

Exploitation

The vulnerability can be exploited by sending a crafted by sending a specially crafted request to the '/search' page with malicious HTML in the 'q' parameter. The attack requires user interaction (UI:A) but no privileges (PR:N) and can be performed over the network (AV:N) with low attack complexity (AC:L) [1]. An attacker does not need to be authenticated to trigger the injection.

Impact

Successful exploitation allows an attacker to inject arbitrary HTML content into the application's output. This can lead to phishing attacks, defacement, or other client-side attacks that rely on manipulating the rendered page. The CVSS v4.0 base score is 5.1 (Medium), with the vector indicating no direct impact on confidentiality, integrity, or availability of the system itself, but a low impact on the integrity of the user's session or interface [1].

Mitigation

As of the publication date, no official solution or patch has been reported by Botble [1]. Users of the affected products should monitor vendor advisories for updates and consider implementing input validation or output encoding as a workaround until a fix is available.