CVE-2020-36932

MEDIUM

SeaCMS 11.1 - Stored Cross-Site Scripting via Checkuser Parameter

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2020-36932. PoCs published by j5s.

AI-analyzed exploit summary This exploit demonstrates a stored XSS vulnerability in Seacms 11.1 via the 'checkuser' parameter. The payload injects a script tag that triggers an alert with the document cookie, confirming the vulnerability.

Description

SeaCMS 11.1 contains a stored cross-site scripting vulnerability in the checkuser parameter of the admin settings page. Attackers can inject malicious JavaScript payloads that will execute in users' browsers when the page is loaded.

Exploits (1)

exploitdb WORKING POC
by j5s · textwebappsmultiple
https://www.exploit-db.com/exploits/49251

This exploit demonstrates a stored XSS vulnerability in Seacms 11.1 via the 'checkuser' parameter. The payload injects a script tag that triggers an alert with the document cookie, confirming the vulnerability.

Classification
Working Poc 90%
Attack Type
Xss
Complexity
Trivial
Reliability
Reliable
Target: Seacms 11.1
Auth required
Prerequisites: Access to the admin panel · Valid session cookies
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (3)

Core 3
Core References
Product product
https://www.seacms.net/
Exploit, VDB Entry exploit
https://www.exploit-db.com/exploits/49251
Third Party Advisory third-party-advisory
https://www.vulncheck.com/advisories/seacms-checkuser-stored-xss

Scores

CVSS v3 6.1
EPSS 0.0024
EPSS Percentile 15.4%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

CISA SSVC

Vulnrichment
Exploitation none
Automatable no
Technical Impact partial

Details

CWE
CWE-79
Status published
Products (2)
seacms/seacms 11.1
Seacms/Seacms < 11.1
Published Jan 25, 2026
Tracked Since Feb 18, 2026