CVE-2026-1953

HIGH

Nukegraphic CMS v3.1.2 - XSS

Title source: llm

Description

Nukegraphic CMS v3.1.2 contains a stored cross-site scripting (XSS) vulnerability in the user profile edit functionality at /ngc-cms/user-edit-profile.php. The application fails to properly sanitize user input in the name field before storing it in the database and rendering it across multiple CMS pages. An authenticated attacker with low privileges can inject malicious JavaScript payloads through the profile edit request, which are then executed site-wide whenever the affected user's name is displayed. This allows the attacker to execute arbitrary JavaScript in the context of other users' sessions, potentially leading to session hijacking, credential theft, or unauthorized actions performed on behalf of victims.

Exploits (2)

github WORKING POC 10 stars
by XiaomingX · pythonpoc
https://github.com/XiaomingX/data-cve-poc-py-v1/tree/main/2026/CVE-2026-1953
nomisec WRITEUP
by carlosbudiman · poc
https://github.com/carlosbudiman/CVE-2026-1953-Disclosure

References (1)

Scores

CVSS v4 8.2
EPSS 0.0002
EPSS Percentile 6.3%
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N

Details

CWE
CWE-79
Status published
Products (1)
Nukegraphic CMS/Nukegraphic CMS 3.1.2
Published Feb 05, 2026
Tracked Since Feb 18, 2026