CVE-2026-5253

Vulnerability

Overview

A stored Cross-Site Scripting (XSS) vulnerability exists in HotGo versions 1.0 and 2.0. The root cause is the lack of input sanitization in the /admin/notice/editNotice endpoint, which accepts user-supplied content and stores it directly in the database. The Vue.js frontend then renders this content using the v-html directive in /web/src/layout/components/Header/MessageList.vue without any sanitization, allowing arbitrary HTML and JavaScript to be executed [1].

Exploitation

An authenticated attacker can exploit this vulnerability by sending a crafted request to the editNotice endpoint with malicious JavaScript in the content field. The payload is stored in the database and subsequently rendered in the browsers of all users who view system notices. No special network position is required beyond standard web access to the application [1].

Impact

Successful exploitation enables the attacker to execute arbitrary JavaScript in the context of the victim's session. This can lead to session hijacking, credential theft, or performing malicious actions on behalf of the victim. The attack is stored, meaning it persists and affects multiple users over time [1].

Mitigation

The vendor was contacted but did not respond, and no official patch has been released. Mitigations include implementing HTML sanitization (e.g., DOMPurify), avoiding v-html in favor of safe Vue.js rendering, enforcing Content Security Policy (CSP) headers, and validating input against a whitelist of allowed HTML tags and attributes [1].