CVE-2020-37236

MEDIUM

NewsLister Authenticated Persistent Cross-Site Scripting via Admin Panel

Title source: cna
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2020-37236. PoCs published by Emre Aslan.

AI-analyzed exploit summary This exploit demonstrates an authenticated persistent XSS vulnerability in NewsLister. The attacker injects a malicious payload into the 'title' field via the admin panel, which executes when the news is viewed.

Description

NewsLister contains an authenticated persistent cross-site scripting vulnerability that allows authenticated administrators to inject malicious scripts through the title parameter in the news addition interface. Attackers can inject JavaScript payloads via the title field in the admin panel that execute when news items are viewed by other users.

Exploits (1)

exploitdb WORKING POC
by Emre Aslan · textwebappsmultiple
https://www.exploit-db.com/exploits/49160

This exploit demonstrates an authenticated persistent XSS vulnerability in NewsLister. The attacker injects a malicious payload into the 'title' field via the admin panel, which executes when the news is viewed.

Classification
Working Poc 90%
Attack Type
Xss
Complexity
Trivial
Reliability
Reliable
Target: NewsLister (version not specified)
Auth required
Prerequisites: Admin panel access · Valid session cookies
devstral-2 · analyzed May 16, 2026 Full analysis →

References (3)

Core 3
Core References
Exploit exploit
ExploitDB-49160
https://www.exploit-db.com/exploits/49160
Product product
Official Product Homepage
https://www.netartmedia.net/newslister.html
Third Party Advisory third-party-advisory
VulnCheck Advisory: NewsLister Authenticated Persistent Cross-Site Scripting via Admin Panel
https://www.vulncheck.com/advisories/newslister-authenticated-persistent-cross-site-scripting-via-admin-panel

Scores

CVSS v3 6.4
EPSS 0.0024
EPSS Percentile 14.2%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N

CISA SSVC

Vulnrichment
Exploitation poc
Automatable no
Technical Impact partial

Details

CWE
CWE-79
Status published
Products (1)
Netartmedia/NewsLister 1.0
Published May 16, 2026
Tracked Since May 16, 2026