CVE-2026-5252

Vulnerability

Description

A stored Cross-Site Scripting (XSS) vulnerability exists in z-9527 Admin ≤ commit 72aaf2d within the message board functionality. The /message/create endpoint in /server/routes/message.js accepts user-supplied content and stores it directly into the database without any sanitization or validation [1]. Additionally, the React frontend in /react/src/pages/MessageBoard/index.js renders this content using dangerouslySetInnerHTML, which bypasses React's built-in XSS protection [1].

Exploitation

Prerequisites

An attacker must be authenticated to send a crafted POST request to the /message/create endpoint with malicious JavaScript in the content field [1]. The payload is then stored and executed when any user views the message board, including administrators. No authentication bypass or special network position is required beyond normal user access [1].

Impact

Successful exploitation allows the attacker to execute arbitrary JavaScript in the browsers of all users viewing the affected message board. This can lead to session hijacking, credential theft, and other malicious actions performed on behalf of victims [1]. The public exploit code indicates a high risk of real-world attacks.

Mitigation

Status

The vendor was contacted but did not respond [1]. Mitigations include implementing HTML sanitization using libraries like DOMPurify, avoiding dangerouslySetInnerHTML in favor of safe React rendering, and applying Content Security Policy (CSP) headers [1]. As no patch is available, users should consider disabling the message board or applying input validation.

_References:_ [1]