VYPR
← All advisories
Unrated severityNVD Advisory· Published Jun 18, 2026

Reflected XSS in LMS

CVE-2026-40457

Description

A Reflected Cross-Site Scripting (XSS) vulnerability exists in LMS (LAN Management System) before commit 9c5651b in the "dbrecover.php" and "netremap.php" modules where unsanitized GET parameters are directly embedded into HTML output. This allows an attacker to inject arbitrary JavaScript when an authenticated user clicks a crafted link, provided the required conditions (such as a network defined in the system) are met.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected products

1

Patches

Vulnerability mechanics

Root cause

"Direct concatenation of unsanitized GET parameters into HTML output allows reflected XSS."

Attack vector

An attacker crafts a malicious URL containing a JavaScript payload in the `db`, `id`, or `mapto` GET parameter. When an authenticated LMS user clicks the crafted link, the unsanitized parameter is echoed into the HTML page, causing the injected script to execute in the user's browser context. The attack requires the user to be authenticated and, for `netremap.php`, a network to be defined in the system [ref_id=1]. This is a classic Reflected Cross-Site Scripting (XSS) pattern.

Affected code

The vulnerability exists in `modules/dbrecover.php` and `modules/netremap.php`. In `dbrecover.php`, the `$_GET['db']` parameter is directly concatenated into an anchor tag's `href` attribute without sanitization. Similarly, `netremap.php` embeds `$_GET['id']` and `$_GET['mapto']` directly into HTML output. Both files lack output encoding before the patch [patch_id=6466785].

What the fix does

The patch wraps each unsanitized `$_GET` value with `htmlspecialchars()` before embedding it into the HTML output [patch_id=6466785]. This function converts special HTML characters (like `<`, `>`, `&`, `

Preconditions

  • authThe victim must be authenticated to the LMS application.
  • configFor the netremap.php vector, a network must be defined in the system.
  • inputThe attacker must trick the victim into clicking a crafted URL with a malicious GET parameter.

Generated on Jun 18, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

3

News mentions

0

No linked articles in our index yet.