CVE-2026-4847

Vulnerability

A reflected cross-site scripting (XSS) vulnerability exists in MuuCmf T6 version 1.9.5.20260309. The flaw resides in the file /admin/config/list.html, where the , where the name parameter is reflected directly into the HTML output without proper sanitization or encoding. Specifically, in the view file muucmf-master\app\admin\view\config\list.html`, line 30, the value of an input tag is taken from user input and echoed back, allowing an attacker to inject arbitrary HTML or JavaScript [1].

Exploitation

The attack is performed remotely by crafting a malicious URL that includes an XSS payload in the name parameter, such as http://127.0.0.1/admin/config/list.html?name=<script>alert(1)</script>. The attacker must trick an authenticated administrator into clicking the link (social engineering). No authentication is required to trigger the reflection, but the victim must have an active session to access the admin endpoint. The exploit has been publicly disclosed with a proof-of-concept video [1].

Impact

Successful exploitation allows the attacker to execute arbitrary JavaScript in the context of the victim's browser session. This can lead to session hijacking, theft of sensitive data, or further actions within the admin panel. The CVSS v3.1 score assigned by the researcher is 8.8 (High) with vector AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H, indicating high impact on confidentiality, integrity, and availability [1].

Mitigation

The vendor (dameng100) was contacted but did not respond. As of the publication date (2026-03-26), no official patch is available. Users should restrict access to the admin panel, apply input validation and output encoding, or consider using a web application firewall (WAF) to block malicious payloads until a fix is released [1].