THREATOPS
THREAT OPSThreat News › [GHSA] GHSA-w2w5-w2pw-r929 (high) — NukeViet: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

[GHSA] GHSA-w2w5-w2pw-r929 (high) — NukeViet: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

medgithub_advisoriesPublished 2026-07-13

GHSA-w2w5-w2pw-r929 Severity: high CVE: CVE-2026-49259

NukeViet: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

## Summary

A stored cross-site scripting (XSS) vulnerability exists in NukeViet CMS versions 4.x through 4.5.08. A low-privileged authenticated user can store a JavaScript payload in their profile's display name fields. The payload executes in the

MITRE ATT&CK techniques

Indicators of compromise

Original source: https://github.com/advisories/GHSA-w2w5-w2pw-r929