Featured image of post CVE-2026-12202

CVE-2026-12202

Cross-Site Scripting (XSS) Stored

CVE-2026-12202: Cross-Site Scripting (XSS) Stored in in endpoint Blocks parameter CSS class name

CVE Publication: https://www.cve.org/CVERecord?id=CVE-2026-12202

Summary

A Stored Cross-Site Scripting (XSS) vulnerability was identified in the Blocksendpoint of the Subrion CMS application. This vulnerability allows attackers to inject malicious scripts via CSS class name parameter. The injected scripts are stored on the server and executed automatically, posing a significant security risk.

Details

Vulnerable Endpoint: Blocks

Parameter: CSS class name

PoC

Payload

1
"><img src=x onerror=alert('CVE-Hunters2')>

Steps to Reproduce:

Access admin dashboard and click on "Edit Blocks". In "Blocks" page, click on "Add Block" button to setup a new entry. Insert the payload in "CSS class name" field, type anything in another fields and click on "Add". The payload will be activated automatically:

Impact

  • Session hijacking: Stealing cookies or authentication tokens to impersonate users.
  • Credential theft: Harvesting usernames and passwords using malicious scripts.
  • Malware delivery: Distributing unwanted or harmful code to victims.
  • Privilege escalation: Compromising administrative users through persistent scripts.
  • Data manipulation or defacement: Changing or disrupting site content.
  • Reputation damage: Eroding trust among site users and administrators.

Reference

https://github.com/KarinaGante/KG-Sec/blob/main/CVEs/SubrionCMS/CVE-2026-12202.md

Finder

Karina Gante

By: CVE-Hunters

Built with Hugo
Theme Stack designed by Jimmy