CVE-2026-12202: Cross-Site Scripting (XSS) Stored in in endpoint Blocks parameter CSS class name
CVE Publication: https://www.cve.org/CVERecord?id=CVE-2026-12202
Summary
A Stored Cross-Site Scripting (XSS) vulnerability was identified in the Blocksendpoint of the Subrion CMS application. This vulnerability allows attackers to inject malicious scripts via CSS class name parameter. The injected scripts are stored on the server and executed automatically, posing a significant security risk.
Details
Vulnerable Endpoint: Blocks
Parameter: CSS class name
PoC
Payload
|
|
Steps to Reproduce:
Access admin dashboard and click on "Edit Blocks". In "Blocks" page, click on "Add Block" button to setup a new entry. Insert the payload in "CSS class name" field, type anything in another fields and click on "Add". The payload will be activated automatically:


Impact
- Session hijacking: Stealing cookies or authentication tokens to impersonate users.
- Credential theft: Harvesting usernames and passwords using malicious scripts.
- Malware delivery: Distributing unwanted or harmful code to victims.
- Privilege escalation: Compromising administrative users through persistent scripts.
- Data manipulation or defacement: Changing or disrupting site content.
- Reputation damage: Eroding trust among site users and administrators.
Reference
https://github.com/KarinaGante/KG-Sec/blob/main/CVEs/SubrionCMS/CVE-2026-12202.md
Finder
By: CVE-Hunters
