THREAT OPS › Threat News › [GHSA] GHSA-mxpf-qgg6-v3ff (high) — NukeViet: Unauthenticated Reflected XSS in Comment Module
[GHSA] GHSA-mxpf-qgg6-v3ff (high) — NukeViet: Unauthenticated Reflected XSS in Comment Module
GHSA-mxpf-qgg6-v3ff Severity: high CVE: CVE-2026-48118
NukeViet: Unauthenticated Reflected XSS in Comment Module
## Summary
Reflected XSS in the Comment module via the `status_comment` URL parameter. The parameter accepts attacker-controlled base64-encoded HTML/JavaScript that is decoded server-side and rendered unescaped into the page. Compounded by a second flaw: the `checkss` anti-forgery to
MITRE ATT&CK techniques
Indicators of compromise
- CVE-2026-48118cve
Original source: https://github.com/advisories/GHSA-mxpf-qgg6-v3ff