CVE-2026-4848

Vulnerability

Overview

A reflected cross-site scripting (XSS) vulnerability exists in MuuCmf T6 version 1.9.5.20260309 (also known as dameng100 muucmf). The flaw resides in the file /admin/extend/list.html, where the name parameter is echoed back into the page without proper sanitization or output encoding [1]. Specifically, at line 18 of the template file, the user-supplied input is directly placed into an HTML input tag's value attribute, allowing an attacker to inject arbitrary JavaScript [1].

Exploitation

The attack is remotely exploitable and does not require authentication, as the vulnerable endpoint is accessible to any visitor. An attacker can craft a URL such as http://target/admin/extend/list.html?name=<script>alert(1)</script> and, if a victim clicks the link, the injected script executes in the context of the victim's browser session [1]. The exploit has been publicly disclosed with a proof-of-concept, increasing the risk of active exploitation [1].

Impact

Successful exploitation enables an attacker to execute arbitrary JavaScript in the victim's browser. This can lead to session hijacking, theft of sensitive data, defacement, or further attacks against the application and its users. The CVSS v3.1 score assigned by the researcher is 8.8 (High) with a vector of AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H, reflecting the potential for complete compromise of confidentiality, integrity, and availability [1].

Mitigation

The vendor was contacted but did not respond, and no official patch has been released as of the publication date [1]. Users should consider restricting access to the admin interface, implementing a web application firewall (WAF) rule to block malicious name parameters, or upgrading to a patched version if one becomes available. The vulnerability is publicly known and should be treated as a priority for remediation.