Medium severity4.3NVD Advisory· Published Mar 26, 2026· Updated Apr 29, 2026

CVE-2026-4846

Description

A vulnerability has been found in dameng100 muucmf 1.9.5.20260309. The affected element is an unknown function of the file channel/admin.Account/autoReply.html. Such manipulation of the argument keyword leads to cross site scripting. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

MuuCmf T6 1.9.5.20260309 suffers from a reflected XSS via the keyword parameter in autoReply.html.

Vulnerability

Description

A reflected cross-site scripting (XSS) vulnerability exists in MuuCmf T6 version 1.9.5.20260309, specifically in the file channel/admin.Account/autoReply.html. The keyword` parameter is used unsanitized in line 31 of the template, reflecting user input directly into the page without proper filtering or encoding [1]. This allows an attacker to inject arbitrary HTML and JavaScript code into the response.

Exploitation

The attack is performed remotely by crafting a URL parameter. The attacker can craft a malicious link to /channel/admin.Account/autoReply.html?keyword=<script>alert(1)</script> and send it to a victim. No authentication is required for the attack to succeed, and the user interaction is limited to clicking the malicious link [1].

Impact

Successful exploitation leads to arbitrary JavaScript execution in the victim's browser, potentially allowing session hijacking, redirection to malicious sites, or other client-side attacks. The official CVSS score for this vulnerability is 8.8 (High) AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H, indicating high impact to confidentiality, integrity, and availability [1].

Mitigation

The vendor was contacted but did not respond. As of this writing, no official patch is available [1]. Users are advised to manually sanitize the input parameter (e.g., by using htmlspecialchars() in PHP) or implement web application firewall rules to block XSS attempts until a fix is released.

References

Muucmf T6 CMS contains Reflected XSS in /channel/admin.Account/autoReply.html?keyword=

AI Insight generated on May 18, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

Dameng100/Muucmfllm-fuzzy
Range: = 1.9.5.20260309

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

thinhneee.github.io/posts/muucmf-xss-channel/nvd
vuldb.comnvd
vuldb.comnvd
vuldb.comnvd

News mentions

No linked articles in our index yet.

Severity

MediumCVSS v3.1

4.3/ 10

CVSS v42.1

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack vector: Network
Complexity: Low
Privileges: None
User interaction: Required
Scope: Unchanged
Confidentiality: None
Integrity: Low
Availability: None

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

EPSS

Probability of exploitation in the next 30 days.

0.04%

VYPR risk score

Composite of severity, exploitation, and reach.

0.28low

cvss	0.280
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000

Weaknesses

CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CWE-94
Improper Control of Generation of Code ('Code Injection')

CVE ID

CVE-2026-4846

Credits

T(
thinhnee (VulDB User)
reporter
V
VulDB
coordinator