CVE-2026-4510

MEDIUM

PbootCMS Parameter MemberController.php alert_location cross site scripting

Title source: cna

Description

A weakness has been identified in PbootCMS up to 3.2.12. This impacts the function alert_location of the file apps/home/controller/MemberController.php of the component Parameter Handler. This manipulation of the argument backurl causes cross site scripting. Remote exploitation of the attack is possible. The exploit has been made available to the public and could be used for attacks.

References (4)

Core 4

Core References

Vdb Entry, Technical Description vdb-entry technical-description

VDB-352076 | PbootCMS Parameter MemberController.php alert_location cross site scripting

https://vuldb.com/?id.352076

Signature, Permissions Required signature permissions-required

VDB-352076 | CTI Indicators (IOB, IOC, TTP, IOA)

https://vuldb.com/?ctiid.352076

Third Party Advisory third-party-advisory

Submit #773904 | 翱云科技 PbootCMS 3.2.12 Reflected XSS

https://vuldb.com/?submit.773904

Exploit exploit

https://github.com/zzj-create/cvetest/blob/main/VULN-05_BACKURL_OPEN_REDIRECT_XSS_REPORT_EN.md

View Exploit ZIP pw:eip

Scores

CVSS v3 4.3

EPSS 0.0027

EPSS Percentile 18.3%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact partial

Details

CWE

CWE-79 CWE-94

Status published

Products (13)

n/a/PbootCMS 3.2.0

n/a/PbootCMS 3.2.1

n/a/PbootCMS 3.2.10

n/a/PbootCMS 3.2.11

n/a/PbootCMS 3.2.12

n/a/PbootCMS 3.2.2

n/a/PbootCMS 3.2.3

n/a/PbootCMS 3.2.4

n/a/PbootCMS 3.2.5

n/a/PbootCMS 3.2.6

... and 3 more

Published Mar 21, 2026

Tracked Since Mar 21, 2026