CVE-2026-48999

MEDIUM

Stored Cross-Site Scripting (XSS) vulnerability in ZTE ZXUniPOS NDS-LTE product

Title source: cna

Description

Attackers carefully craft malicious scripts, such as JavaScript, and inject them into target systems; when other users access pages containing such malicious content, the scripts are automatically loaded and executed in the victim's browser.Attackers can thereby steal user cookies, hijack session privileges, and tamper with page content.Since the malicious code is stored within the system, the attack scope is broad and the concealment is strong, making it frequently employed for data theft attacks.

References (1)

Core 1

Core References

https://support.zte.com.cn/zte-iccp-isupport-webui/bulletin/detail/2811026568490730190

Scores

CVSS v3 5.7

EPSS 0.0017

EPSS Percentile 6.5%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:H/A:L

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-79

Status published

Products (3)

ZTE/ZTE ZXUniPOS NDS-LTE V24.30.40CP02 and earlier versions

ZTE/ZTE ZXUniPOS NDS-LTE V24.40.40 and earlier versions

ZTE/ZXUniPOS NDS-LTE Versions < V24.40.40CP01 (excluding V24.30.40CP03, V24.40.40CP01)

Published May 27, 2026

Tracked Since May 27, 2026