CVE-2023-53936

MEDIUM

Cameleon CMS 2.7.4 - Authenticated Stored Cross-Site Scripting via Post Title

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2023-53936. PoCs published by Yasin Gergin.

AI-analyzed exploit summary This exploit demonstrates an authenticated persistent XSS vulnerability in Cameleon CMS 2.7.4. The attacker injects malicious JavaScript into a post title, which executes when a user hovers over the title.

Description

Cameleon CMS 2.7.4 contains a persistent cross-site scripting vulnerability that allows authenticated administrators to inject malicious scripts into post titles. Attackers can create posts with embedded SVG scripts that execute when other users mouse over the post title, potentially stealing session cookies and executing arbitrary JavaScript.

Exploits (1)

exploitdb WORKING POC
by Yasin Gergin · textwebappsruby
https://www.exploit-db.com/exploits/51446

This exploit demonstrates an authenticated persistent XSS vulnerability in Cameleon CMS 2.7.4. The attacker injects malicious JavaScript into a post title, which executes when a user hovers over the title.

Classification
Working Poc 90%
Attack Type
Xss
Complexity
Trivial
Reliability
Reliable
Target: Cameleon CMS 2.7.4
Auth required
Prerequisites: Admin access to Cameleon CMS · Ability to create a new post
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (3)

Core 3

Scores

CVSS v3 4.8
EPSS 0.0021
EPSS Percentile 10.4%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N

CISA SSVC

Vulnrichment
Exploitation none
Automatable no
Technical Impact partial

Details

CWE
CWE-79
Status published
Products (2)
tuzitio/camaleon_cms 2.7.4
tuzitio/Cameleon CMS 2.7.4
Published Dec 18, 2025
Tracked Since Feb 18, 2026