CVE-2026-36521

Vulnerability

PublicCMS V5.202506.d contains a stored Cross-Site Scripting (XSS) vulnerability in the site configuration management module [1]. The vulnerable input is the description field when adding a configuration item [1]. The administrative backend is required to access this functionality; the vulnerable code path is reachable through the standard site configuration interface [1].

Exploitation

An attacker with administrative backend credentials navigates to Settings -> Site Configuration Management, selects any entry, clicks Modify Configuration Item, then Add Row [1]. The attacker fills arbitrary values in other fields and injects a JavaScript payload (PoC) into the description field [1]. After saving, the payload is stored. Returning to Site Configuration Management and selecting the same entry for modification triggers execution of the injected script [1].

Impact

Successful exploitation allows execution of arbitrary JavaScript in the context of the administrator's browser session [1]. This can lead to session hijacking, defacement, or theft of sensitive data visible within the backend, depending on the attacker's payload and the administrator's privileges [1].

Mitigation

No fixed version is available in the provided references [1]. As of publication, users should restrict administrative access to trusted personnel only, apply strict input validation on the description field, or await a patched release from the vendor [1].