NukeViet CMS, Stored Cross-Site Scripting (XSS), CVE-2026-54064 (High) -DC-Jul2026-954

Listen to this Post

CVE-2026-54064 is a stored Cross-Site Scripting (XSS) vulnerability affecting the NukeViet content management system. The flaw resides in the `NukeViet\Core\Request` class, specifically within the `filterAttr()` and `unhtmlentities()` methods, which are responsible for sanitizing user-supplied input.
The vulnerability arises from two distinct filter bypass techniques that allow an attacker to inject malicious JavaScript into web pages. The first bypass exploits the `filterAttr()` method, which uses PHP’s `trim()` function to clean attribute names but fails to remove the ASCII Form Feed character (\x0C). An attacker can prefix an event handler like `onerror` with this character (e.g., \x0Conerror), bypassing the `/^on/i` regular expression check. However, the HTML5 browser parser treats `\x0C` as valid whitespace, correctly interpreting and executing the event handler.
The second bypass targets the `unhtmlentities()` method, which strips hex-encoded HTML entities but overlooks their decimal equivalents. An attacker can use the decimal tab entity () to obfuscate the `javascript:` keyword in a URI, such as jav ascript:alert(). The keyword-blocking regex `/\s/` does not match HTML entities, allowing the payload to pass the filter. The browser then decodes the entity and executes the JavaScript code.
An attacker with news-posting permissions can exploit these bypasses to inject persistent JavaScript into s. When any user, including administrators, views the compromised page, the malicious script executes in their browser. This can lead to session cookie theft, credential harvesting, website defacement, and further privilege escalation.
The vulnerability has been patched in NukeViet version 4.6.00. The fix involves stripping all ASCII control characters from attribute names before the `/^on/` check in `filterAttr()` and removing decimal HTML entities for all ASCII control characters in unhtmlentities().

DailyCVE Form

Platform: NukeViet CMS
Version: < 4.6.00
Vulnerability: Stored XSS
Severity: High (8.7 CVSS)
date: 2026-07-13

Prediction: 2026-07-14

What Undercode Say

Analytics:

  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: Low (news post permission)
  • User Interaction: Required
  • Scope: Changed
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: None

Exploit:

Bypass 1 — Form Feed Character Prefix

URL-encoded payload for the 'bodyhtml' POST field
<img src="x" %0Conerror="alert('XSS')">

Bypass 2 — Decimal HTML Entity Tab

Markdown-style link payload
[Click me](jav  ascript:alert('XSS'))

Protection:

  • Upgrade to NukeViet version 4.6.00 or later.
  • Patch the `vendor/vinades/nukeviet/Core/Request.php` file manually:
  • In filterAttr(): Strip all ASCII control characters (\x00\x20) from the attribute name before the `/^on/` check.
  • In unhtmlentities(): Strip decimal HTML entities for all ASCII control characters (0–31) before the keyword checks.

Impact:

Successful exploitation allows an authenticated attacker with news-posting permissions to inject and store malicious JavaScript. This script executes in the browsers of all users viewing the affected , including administrators. The impact includes session cookie theft, credential harvesting, website defacement, and further privilege escalation.

🎯Let’s Practice Exploiting & Learn Patching For Free:

🎓 Live Courses & Certifications:

Join Undercode Academy for Verified Certifications

🚀 Request a Custom Project:

Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top