CVE-2024-58344

MEDIUM

Carbon Forum 5.9.0 Persistent XSS via Forum Name Field

Title source: cna

Exploitation Summary

EIP tracks 1 public exploit for CVE-2024-58344. PoCs published by Chokri Hammedi.

AI-analyzed exploit summary This is a technical writeup detailing a stored XSS vulnerability in Carbon Forum 5.9.0, where malicious JavaScript can be injected into the Forum Name field under admin settings. The payload is executed when users visit the forum.

Description

Carbon Forum 5.9.0 contains a persistent cross-site scripting vulnerability that allows authenticated administrators to inject malicious JavaScript code through the Forum Name field in dashboard settings. Attackers with admin privileges can store JavaScript payloads in the Forum Name field that execute in the browsers of all users visiting the forum, enabling session hijacking and data theft.

Exploits (1)

exploitdb WRITEUP

by Chokri Hammedi · textwebappsphp

https://www.exploit-db.com/exploits/52043

View Code ZIP pw:eip

This is a technical writeup detailing a stored XSS vulnerability in Carbon Forum 5.9.0, where malicious JavaScript can be injected into the Forum Name field under admin settings. The payload is executed when users visit the forum.

Classification

Writeup 90%

Attack Type

Xss

Complexity

Trivial

Reliability

Reliable

Target: Carbon Forum 5.9.0

Auth required

Prerequisites: admin access to Carbon Forum

MITRE ATT&CK

T1059.007 - JavaScript T1189 - Drive-by Compromise

devstral-2 · analyzed Apr 22, 2026 Full analysis →

References (4)

Core 4

Core References

Exploit exploit

ExploitDB-52043

https://www.exploit-db.com/exploits/52043

Product product

Official Product Homepage

https://www.94cb.com/

Product product

Product Reference

https://github.com/lincanbin/Carbon-Forum

Third Party Advisory third-party-advisory

VulnCheck Advisory: Carbon Forum 5.9.0 Persistent XSS via Forum Name Field

https://www.vulncheck.com/advisories/carbon-forum-persistent-xss-via-forum-name-field

Scores

CVSS v3 6.4

EPSS 0.0004

EPSS Percentile 12.1%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact partial

Details

CWE

CWE-79

Status published

Products (1)

94Cb/Carbon Forum 5.9.0

Published Apr 22, 2026

Tracked Since Apr 22, 2026