CVE-2023-53936

MEDIUM

Cameleon CMS 2.7.4 - XSS

Title source: llm

Description

Cameleon CMS 2.7.4 contains a persistent cross-site scripting vulnerability that allows authenticated administrators to inject malicious scripts into post titles. Attackers can create posts with embedded SVG scripts that execute when other users mouse over the post title, potentially stealing session cookies and executing arbitrary JavaScript.

Exploits (1)

exploitdb WORKING POC

by Yasin Gergin · textwebappsruby

https://www.exploit-db.com/exploits/51446

View Code ZIP pw:eip

References (3)

[Product] https://github.com/owen2345/camaleon-cms

[Exploit, Third Party Advisory] https://www.exploit-db.com/exploits/51446

[Third Party Advisory] https://www.vulncheck.com/advisories/cameleon-cms-authenticated-persistent-cross-site-scripting-via-post-creation

Scores

CVSS v3 4.8

EPSS 0.0005

EPSS Percentile 14.7%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N

Details

CWE

CWE-79

Status published

Products (2)

tuzitio/camaleon_cms 2.7.4

tuzitio/Cameleon CMS 2.7.4

Published Dec 18, 2025

Tracked Since Feb 18, 2026