Low severity3.5NVD Advisory· Published Apr 1, 2026· Updated Apr 29, 2026

CVE-2026-5249

Description

A vulnerability was found in gougucms 4.08.18. This impacts an unknown function of the file \gougucms-master\app\admin\view\user\record.html of the component Record Endpoint. Performing a manipulation of the argument value.content results in cross site scripting. It is possible to initiate the attack remotely. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

A stored XSS vulnerability in gougucms 4.08.18 allows low-privileged users to inject malicious scripts into the admin record endpoint, triggering when an administrator views logs.

Vulnerability

A stored cross-site scripting (XSS) vulnerability exists in gougucms version 4.08.18 within the file \gougucms-master\app\admin\view\user\record.html. The Record Endpoint is vulnerable as user-controlled data from the attribute value.content is directly appended to an HTML string without validation or sanitization. When an administrator views the record management page, the document is passed to $('#logs').append(html), allowing the jQuery library to parse and execute any included HTML or script tags [1].

Exploitation

An attacker with a low-privileged account can inject a malicious payload—such as ` or `—into the record endpoint through a submit form. The payload is stored in the database and automatically executed when an administrator accesses the operational records or logs in the backend dashboard. No special authentication is required beyond a normal user account, and the attack can be performed remotely [1].

Impact

Successful exploitation leads to potential session hijacking and unauthorized administrative actions. Because the script runs in the administrator's browser context, the attacker could steal administrative session cookies or perform actions without consent, effectively compromising the entire application. The published CVSS v3 score from the reference is 8.8 (High) [1].

Mitigation

The vendor was contacted but did not respond, and no patch has been released. Users should apply input sanitization for the value.content field and consider restricting access to the record pages. The exploit has been publicly disclosed, and the vulnerability may be added to CISA KEV in the future [1].

References

Gougu CMS contains Blind XSS

AI Insight generated on May 18, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

gougucms/gougucmsllm-create
Range: =4.08.18

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

News mentions

No linked articles in our index yet.

Severity

LowCVSS v3.1

3.5/ 10

CVSS v42.0

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack vector: Network
Complexity: Low
Privileges: Low
User interaction: Required
Scope: Unchanged
Confidentiality: None
Integrity: Low
Availability: None

Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N

EPSS

Probability of exploitation in the next 30 days.

0.03%

VYPR risk score

Composite of severity, exploitation, and reach.

0.23low

cvss	0.227
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000

Weaknesses

CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CWE-94
Improper Control of Generation of Code ('Code Injection')

CVE ID

CVE-2026-5249

Credits

T(
thinhnee (VulDB User)
reporter
V
VulDB
coordinator