Medium severity4.3NVD Advisory· Published Mar 21, 2026· Updated Apr 29, 2026

CVE-2026-4510

Description

A weakness has been identified in PbootCMS up to 3.2.12. This impacts the function alert_location of the file apps/home/controller/MemberController.php of the component Parameter Handler. This manipulation of the argument backurl causes cross site scripting. Remote exploitation of the attack is possible. The exploit has been made available to the public and could be used for attacks.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

PbootCMS 3.2.12's member login flow reflects the backurl parameter into JavaScript without proper encoding, enabling reflected XSS and open redirect via crafted URLs.

Root

Cause A weakness in PbootCMS up to version 3.2.12 allows a malicious actor to supply a crafted backurl parameter to the member login endpoint. The alert_location() function in core/function/helper.php directly embeds this user-controlled value into a JavaScript string assigned to location.href, without context-aware output encoding. The vulnerable code path is located in apps/home/controller/MemberController.php [1].

Attack

Surface An unauthenticated attacker can exploit this by sending a victim a link to /member/login?backurl=... with a specially crafted value. Because the backurl is inserted into a JavaScript context without escaping special characters like double quotes and semicolons, the attacker can break out of the string and inject arbitrary JavaScript. This is a reflected (non-persistent) attack that requires user interaction (clicking the crafted link) [1].

Impact

Successful exploitation allows the attacker to execute arbitrary JavaScript in the victim's browser within the context of the PbootCMS site. This can be used to steal session cookies, perform phishing by redirecting the victim to a malicious site (open redirect), or deface the page. The reference report classifies this as CWE-79 (Cross-Site Scripting) and CWE-601 (URL Redirection to Untrusted Site), assigning a CVSS v3 base score of 6.1 (Medium/High) [1].

Mitigation

At the time of disclosure, no official patch has been released for PbootCMS 3.2.12. Administrators should sanitize the backurl parameter by validating it against a whitelist of allowed hosts and encoding the output for the JavaScript context. Until a vendor fix is available, upgrading to a newer version or applying a web application firewall (WAF) rule that blocks malicious payloads in the backurl parameter is recommended [1].

References

cvetest/VULN-05_BACKURL_OPEN_REDIRECT_XSS_REPORT_EN.md at main · zzj-create/cvetest

AI Insight generated on May 18, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

Pbootcmspro/Pbootcmsllm-fuzzy
Range: <=3.2.12

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

News mentions

No linked articles in our index yet.

Severity

MediumCVSS v3.1

4.3/ 10

CVSS v42.1

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack vector: Network
Complexity: Low
Privileges: None
User interaction: Required
Scope: Unchanged
Confidentiality: None
Integrity: Low
Availability: None

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

EPSS

Probability of exploitation in the next 30 days.

0.04%

VYPR risk score

Composite of severity, exploitation, and reach.

0.28low

cvss	0.280
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000

Weaknesses

CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CWE-94
Improper Control of Generation of Code ('Code Injection')

CVE ID

CVE-2026-4510

Credits

Z(
zmjjkk (VulDB User)
reporter