CVE-2026-4845

Vulnerability

Overview A reflected cross-site scripting (XSS) flaw exists in dameng100 muucmf version 1.9.5.20260309. The vulnerability resides in the /admin/Member/index.html endpoint, where the search parameter is echoed back into the page without proper sanitization or output encoding or sanitization. The root cause is in the template file muucmf-master\app\admin\view\member\index.html at line 49, where user-supplied input is directly placed into an input tag's value attribute, leading to script injection [1].

Exploitation

An attacker can exploit this flaw by crafting a malicious URL containing an XSS payload in the search parameter and tricking an authenticated administrator into clicking it. No special network position is required beyond standard web access, and the attack is remote. The exploit does not require authentication to the vulnerable endpoint itself, but the attacker controls the URL, but the victim must have an active session to trigger the reflected payload [1].

Impact

Successful exploitation allows the attacker to execute arbitrary JavaScript in the context of the victim's browser session. This can lead to session hijacking, credential theft, defacement, or other actions performed under the victim's privileges. The CVSS v3.1 score assigned by the researcher is 8.8 (High) with a vector of AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H, indicating high impact on confidentiality, integrity, and availability [1].

Mitigation

Status The vendor was contacted but did not respond, and no official patch has been released as of the publication date. Users are advised to apply input validation and output encoding on the search parameter, or restrict access to the admin panel to trusted networks. The exploit has been publicly disclosed and a proof-of-concept is available [1].