THREAT OPS › Threat News › [GHSA] GHSA-w2w5-w2pw-r929 (high) — NukeViet: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
[GHSA] GHSA-w2w5-w2pw-r929 (high) — NukeViet: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
GHSA-w2w5-w2pw-r929 Severity: high CVE: CVE-2026-49259
NukeViet: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
## Summary
A stored cross-site scripting (XSS) vulnerability exists in NukeViet CMS versions 4.x through 4.5.08. A low-privileged authenticated user can store a JavaScript payload in their profile's display name fields. The payload executes in the
MITRE ATT&CK techniques
Indicators of compromise
- CVE-2026-49259cve
Original source: https://github.com/advisories/GHSA-w2w5-w2pw-r929