<?xml version="1.0" encoding="UTF-8"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/">
  <channel>
    <title>CVE-2026-12202</title>
    <link>https://www.cvehunters.com/pt/p/cve-2026-12202/</link>
    <description>Cross-Site Scripting (XSS) Armazenado</description>
    <atom:link href="https://www.cvehunters.com/pt/p/cve-2026-12202/index.xml" rel="self" type="application/rss+xml"/>

    <item>
      <title>CVE-2026-12202</title>
      <link>https://www.cvehunters.com/pt/p/cve-2026-12202/</link>
      <guid>https://www.cvehunters.com/pt/p/cve-2026-12202/</guid>
      <description>&amp;lt;h2 id=&amp;#34;cve-2026-12202-cross-site-scripting-xss-armazenado-no-parâmetro-css-class-name-do-endpoint-blocks&amp;#34;&amp;gt;CVE-2026-12202: Cross-Site Scripting (XSS) Armazenado no parâmetro &amp;lt;code&amp;gt;CSS class name&amp;lt;/code&amp;gt; do endpoint &amp;lt;code&amp;gt;Blocks&amp;lt;/code&amp;gt;
&amp;lt;/h2&amp;gt;&amp;lt;blockquote&amp;gt;
&amp;lt;p&amp;gt;&amp;lt;em&amp;gt;&amp;lt;strong&amp;gt;Publicação da CVE: &amp;lt;a class=&amp;#34;link&amp;#34; href=&amp;#34;https://www.cve.org/CVERecord?id=CVE-2026-12202&amp;#34;  target=&amp;#34;_blank&amp;#34; rel=&amp;#34;noopener&amp;#34;
    &amp;gt;https://www.cve.org/CVERecord?id=CVE-2026-12202&amp;lt;/a&amp;gt;&amp;lt;/strong&amp;gt;&amp;lt;/em&amp;gt;&amp;lt;/p&amp;gt;
&amp;lt;/blockquote&amp;gt;
&amp;lt;h2 id=&amp;#34;resumo&amp;#34;&amp;gt;Resumo
&amp;lt;/h2&amp;gt;&amp;lt;p style=&amp;#34;text-align: justify;&amp;#34;&amp;gt;Uma vulnerabilidade de Cross-Site Scripting (XSS) Armazenado foi identificada no endpoint &amp;lt;code&amp;gt;Blocks&amp;lt;/code&amp;gt; da aplicação Subrion CMS. Essa vulnerabilidade permite que atacantes injetem scripts maliciosos por meio do parâmetro &amp;lt;code&amp;gt;CSS class name&amp;lt;/code&amp;gt;. Os scripts injetados são armazenados no servidor e executados automaticamente, representando um risco significativo de segurança.&amp;lt;/p&amp;gt;
&amp;lt;h2 id=&amp;#34;detalhes&amp;#34;&amp;gt;Detalhes
&amp;lt;/h2&amp;gt;&amp;lt;p&amp;gt;Endpoint Vulnerável: &amp;lt;code&amp;gt;Blocks&amp;lt;/code&amp;gt;&amp;lt;/p&amp;gt;</description><content:encoded>&amp;lt;h2 id=&amp;#34;cve-2026-12202-cross-site-scripting-xss-armazenado-no-parâmetro-css-class-name-do-endpoint-blocks&amp;#34;&amp;gt;CVE-2026-12202: Cross-Site Scripting (XSS) Armazenado no parâmetro &amp;lt;code&amp;gt;CSS class name&amp;lt;/code&amp;gt; do endpoint &amp;lt;code&amp;gt;Blocks&amp;lt;/code&amp;gt;
&amp;lt;/h2&amp;gt;&amp;lt;blockquote&amp;gt;
&amp;lt;p&amp;gt;&amp;lt;em&amp;gt;&amp;lt;strong&amp;gt;Publicação da CVE: &amp;lt;a class=&amp;#34;link&amp;#34; href=&amp;#34;https://www.cve.org/CVERecord?id=CVE-2026-12202&amp;#34;  target=&amp;#34;_blank&amp;#34; rel=&amp;#34;noopener&amp;#34;
    &amp;gt;https://www.cve.org/CVERecord?id=CVE-2026-12202&amp;lt;/a&amp;gt;&amp;lt;/strong&amp;gt;&amp;lt;/em&amp;gt;&amp;lt;/p&amp;gt;
&amp;lt;/blockquote&amp;gt;
&amp;lt;h2 id=&amp;#34;resumo&amp;#34;&amp;gt;Resumo
&amp;lt;/h2&amp;gt;&amp;lt;p style=&amp;#34;text-align: justify;&amp;#34;&amp;gt;Uma vulnerabilidade de Cross-Site Scripting (XSS) Armazenado foi identificada no endpoint &amp;lt;code&amp;gt;Blocks&amp;lt;/code&amp;gt; da aplicação Subrion CMS. Essa vulnerabilidade permite que atacantes injetem scripts maliciosos por meio do parâmetro &amp;lt;code&amp;gt;CSS class name&amp;lt;/code&amp;gt;. Os scripts injetados são armazenados no servidor e executados automaticamente, representando um risco significativo de segurança.&amp;lt;/p&amp;gt;
&amp;lt;h2 id=&amp;#34;detalhes&amp;#34;&amp;gt;Detalhes
&amp;lt;/h2&amp;gt;&amp;lt;p&amp;gt;Endpoint Vulnerável: &amp;lt;code&amp;gt;Blocks&amp;lt;/code&amp;gt;&amp;lt;/p&amp;gt;
&amp;lt;p&amp;gt;Parâmetro: &amp;lt;code&amp;gt;CSS class name&amp;lt;/code&amp;gt;&amp;lt;/p&amp;gt;
&amp;lt;h2 id=&amp;#34;poc&amp;#34;&amp;gt;PoC
&amp;lt;/h2&amp;gt;&amp;lt;h3 id=&amp;#34;payload&amp;#34;&amp;gt;Payload
&amp;lt;/h3&amp;gt;&amp;lt;div class=&amp;#34;highlight&amp;#34;&amp;gt;&amp;lt;div class=&amp;#34;chroma&amp;#34;&amp;gt;
&amp;lt;table class=&amp;#34;lntable&amp;#34;&amp;gt;&amp;lt;tr&amp;gt;&amp;lt;td class=&amp;#34;lntd&amp;#34;&amp;gt;
&amp;lt;pre tabindex=&amp;#34;0&amp;#34; class=&amp;#34;chroma&amp;#34;&amp;gt;&amp;lt;code&amp;gt;&amp;lt;span class=&amp;#34;lnt&amp;#34;&amp;gt;1
&amp;lt;/span&amp;gt;&amp;lt;/code&amp;gt;&amp;lt;/pre&amp;gt;&amp;lt;/td&amp;gt;
&amp;lt;td class=&amp;#34;lntd&amp;#34;&amp;gt;
&amp;lt;pre tabindex=&amp;#34;0&amp;#34; class=&amp;#34;chroma&amp;#34;&amp;gt;&amp;lt;code class=&amp;#34;language-html&amp;#34; data-lang=&amp;#34;html&amp;#34;&amp;gt;&amp;lt;span class=&amp;#34;line&amp;#34;&amp;gt;&amp;lt;span class=&amp;#34;cl&amp;#34;&amp;gt;&amp;amp;#34;&amp;amp;gt;&amp;lt;span class=&amp;#34;p&amp;#34;&amp;gt;&amp;amp;lt;&amp;lt;/span&amp;gt;&amp;lt;span class=&amp;#34;nt&amp;#34;&amp;gt;img&amp;lt;/span&amp;gt; &amp;lt;span class=&amp;#34;na&amp;#34;&amp;gt;src&amp;lt;/span&amp;gt;&amp;lt;span class=&amp;#34;o&amp;#34;&amp;gt;=&amp;lt;/span&amp;gt;&amp;lt;span class=&amp;#34;s&amp;#34;&amp;gt;x&amp;lt;/span&amp;gt; &amp;lt;span class=&amp;#34;na&amp;#34;&amp;gt;onerror&amp;lt;/span&amp;gt;&amp;lt;span class=&amp;#34;o&amp;#34;&amp;gt;=&amp;lt;/span&amp;gt;&amp;lt;span class=&amp;#34;s&amp;#34;&amp;gt;alert(&amp;amp;#39;CVE-Hunters2&amp;amp;#39;)&amp;lt;/span&amp;gt;&amp;lt;span class=&amp;#34;p&amp;#34;&amp;gt;&amp;amp;gt;&amp;lt;/span&amp;gt;
&amp;lt;/span&amp;gt;&amp;lt;/span&amp;gt;&amp;lt;/code&amp;gt;&amp;lt;/pre&amp;gt;&amp;lt;/td&amp;gt;&amp;lt;/tr&amp;gt;&amp;lt;/table&amp;gt;
&amp;lt;/div&amp;gt;
&amp;lt;/div&amp;gt;&amp;lt;h3 id=&amp;#34;passos-para-reprodução&amp;#34;&amp;gt;Passos para Reprodução:
&amp;lt;/h3&amp;gt;&amp;lt;p style=&amp;#34;text-align: justify;&amp;#34;&amp;gt;Acesse o painel administrativo e clique em &amp;lt;code&amp;gt;&amp;#34;Edit Blocks&amp;#34;&amp;lt;/code&amp;gt;. Na página &amp;lt;code&amp;gt;&amp;#34;Blocks&amp;#34;&amp;lt;/code&amp;gt;, clique no botão &amp;lt;code&amp;gt;&amp;#34;Add Block&amp;#34;&amp;lt;/code&amp;gt; para configurar uma nova entrada. Insira o payload no campo &amp;lt;code&amp;gt;&amp;#34;CSS class name&amp;#34;&amp;lt;/code&amp;gt;, digite qualquer conteúdo nos outros campos e clique em &amp;lt;code&amp;gt;&amp;#34;Add&amp;#34;&amp;lt;/code&amp;gt;. O payload será ativado automaticamente:&amp;lt;/p&amp;gt;
&amp;lt;p&amp;gt;&amp;lt;img src=&amp;#34;/p/cve-2026-12202/image.png&amp;#34;
	width=&amp;#34;665&amp;#34;
	height=&amp;#34;398&amp;#34;
	srcset=&amp;#34;/p/cve-2026-12202/image_hu_2984c7c58cac0ae0.png 480w, /p/cve-2026-12202/image_hu_8a998a312d88a856.png 1024w&amp;#34;
	loading=&amp;#34;lazy&amp;#34;
	
	
		class=&amp;#34;gallery-image&amp;#34; 
		data-flex-grow=&amp;#34;167&amp;#34;
		data-flex-basis=&amp;#34;401px&amp;#34;
	
 /&amp;gt;&amp;lt;/p&amp;gt;
&amp;lt;p&amp;gt;&amp;lt;img src=&amp;#34;/p/cve-2026-12202/image-1.png&amp;#34;
	width=&amp;#34;690&amp;#34;
	height=&amp;#34;284&amp;#34;
	srcset=&amp;#34;/p/cve-2026-12202/image-1_hu_86e17d63b02dbe9d.png 480w, /p/cve-2026-12202/image-1_hu_2d7f2387cc2508c8.png 1024w&amp;#34;
	loading=&amp;#34;lazy&amp;#34;
	
	
		class=&amp;#34;gallery-image&amp;#34; 
		data-flex-grow=&amp;#34;242&amp;#34;
		data-flex-basis=&amp;#34;583px&amp;#34;
	
 /&amp;gt;&amp;lt;/p&amp;gt;
&amp;lt;h2 id=&amp;#34;impacto&amp;#34;&amp;gt;Impacto
&amp;lt;/h2&amp;gt;&amp;lt;p style=&amp;#34;text-align: justify;&amp;#34;&amp;gt;
&amp;lt;ul&amp;gt;
&amp;lt;li&amp;gt;Sequestro de sessão: Roubo de cookies ou tokens de autenticação para se passar por usuários.&amp;lt;/li&amp;gt;
&amp;lt;li&amp;gt;Roubo de credenciais: Coleta de nomes de usuário e senhas usando scripts maliciosos.&amp;lt;/li&amp;gt;
&amp;lt;li&amp;gt;Distribuição de malware: Disseminação de código indesejado ou prejudicial para as vítimas.&amp;lt;/li&amp;gt;
&amp;lt;li&amp;gt;Elevação de privilégios: Comprometimento de usuários administrativos por meio de scripts persistentes.&amp;lt;/li&amp;gt;
&amp;lt;li&amp;gt;Manipulação de dados ou desfiguração (defacement): Alteração ou interrupção do conteúdo do site.&amp;lt;/li&amp;gt;
&amp;lt;li&amp;gt;Dano à reputação: Erosão da confiança entre usuários e administradores do site.&amp;lt;/li&amp;gt;
&amp;lt;/ul&amp;gt;
&amp;lt;/p&amp;gt;
&amp;lt;h2 id=&amp;#34;referência&amp;#34;&amp;gt;Referência
&amp;lt;/h2&amp;gt;&amp;lt;p&amp;gt;&amp;lt;em&amp;gt;&amp;lt;strong&amp;gt;&amp;lt;a class=&amp;#34;link&amp;#34; href=&amp;#34;https://github.com/KarinaGante/KG-Sec/blob/main/CVEs/SubrionCMS/CVE-2026-12202.md&amp;#34;  target=&amp;#34;_blank&amp;#34; rel=&amp;#34;noopener&amp;#34;
    &amp;gt;https://github.com/KarinaGante/KG-Sec/blob/main/CVEs/SubrionCMS/CVE-2026-12202.md&amp;lt;/a&amp;gt;&amp;lt;/strong&amp;gt;&amp;lt;/em&amp;gt;&amp;lt;/p&amp;gt;
&amp;lt;h2 id=&amp;#34;encontrado-por&amp;#34;&amp;gt;Encontrado por
&amp;lt;/h2&amp;gt;&amp;lt;p&amp;gt;&amp;lt;a class=&amp;#34;link&amp;#34; href=&amp;#34;https://www.linkedin.com/in/karina-gante/&amp;#34;  target=&amp;#34;_blank&amp;#34; rel=&amp;#34;noopener&amp;#34;
    &amp;gt;&amp;lt;img src=&amp;#34;/assets/contributors/50x50/karina50x50.png&amp;#34;
	
	
	
	loading=&amp;#34;lazy&amp;#34;
	
	
 /&amp;gt;&amp;lt;/a&amp;gt; &amp;lt;a class=&amp;#34;link&amp;#34; href=&amp;#34;https://www.linkedin.com/in/karina-gante/&amp;#34;  target=&amp;#34;_blank&amp;#34; rel=&amp;#34;noopener&amp;#34;
    &amp;gt;Karina Gante&amp;lt;/a&amp;gt;&amp;lt;/p&amp;gt;
&amp;lt;blockquote&amp;gt;
&amp;lt;p&amp;gt;&amp;lt;em&amp;gt;&amp;lt;strong&amp;gt;Por: &amp;lt;a class=&amp;#34;link&amp;#34; href=&amp;#34;https://github.com/CVE-Hunters/cve-hunters&amp;#34;  target=&amp;#34;_blank&amp;#34; rel=&amp;#34;noopener&amp;#34;
    &amp;gt;CVE-Hunters&amp;lt;/a&amp;gt;&amp;lt;/strong&amp;gt;&amp;lt;/em&amp;gt;&amp;lt;/p&amp;gt;
&amp;lt;/blockquote&amp;gt;
</content:encoded>

      <pubDate>Mon, 15 Jun 2026 00:00:00 &#43;0000</pubDate>
    </item>
  </channel>
</rss>
