CVE-2026-28083

Vulnerability

Overview

CVE-2026-28083 is a stored cross-site scripting (XSS) vulnerability in the Flatsome theme by UX-themes, affecting versions up to and including 3.20.5. The root cause is improper neutralization of user input during web page generation, allowing an attacker to inject arbitrary scripts that are stored and later executed in the context of other users' browsers [1].

Exploitation

Prerequisites

Exploitation requires a privileged user (e.g., an administrator) to perform an action such as clicking a malicious link, visiting a crafted page, or submitting a form. This user interaction is necessary for the attacker to inject the malicious payload. Once injected, the script executes when any visitor accesses the affected page [1].

Impact

A successful attack enables the injection of malicious scripts, including redirects, advertisements, and other HTML payloads. These scripts can be used to deface the site, steal session cookies, or perform further attacks against site visitors. The vulnerability is known to be used in mass-exploit campaigns targeting thousands of websites regardless of their size or popularity [1].

Mitigation

The vendor has released version 3.20.6 which addresses the vulnerability. Users are strongly advised to update immediately. If updating is not possible, contacting a hosting provider or web developer for assistance is recommended. Although the CVSS score is 6.5 (Medium), the vulnerability is considered low severity by the vendor but is actively exploited in the wild [1].