THREATOPS
THREAT OPSThreat News › [GHSA] GHSA-mxpf-qgg6-v3ff (high) — NukeViet: Unauthenticated Reflected XSS in Comment Module

[GHSA] GHSA-mxpf-qgg6-v3ff (high) — NukeViet: Unauthenticated Reflected XSS in Comment Module

medgithub_advisoriesPublished 2026-07-13

GHSA-mxpf-qgg6-v3ff Severity: high CVE: CVE-2026-48118

NukeViet: Unauthenticated Reflected XSS in Comment Module

## Summary

Reflected XSS in the Comment module via the `status_comment` URL parameter. The parameter accepts attacker-controlled base64-encoded HTML/JavaScript that is decoded server-side and rendered unescaped into the page. Compounded by a second flaw: the `checkss` anti-forgery to

MITRE ATT&CK techniques

Indicators of compromise

Original source: https://github.com/advisories/GHSA-mxpf-qgg6-v3ff