Summary
NukeViet: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
A stored cross-site scripting (XSS) vulnerability exists in NukeViet CMS versions 4.x through 4.5.08. A low-privileged authenticated user can store a JavaScript payload in their profile's display name fields. The payload executes in the browser of any visitor, including administrators, who clicks the Reply ("Answer") link on a comment posted by that user.
Affected Component
The {COMMENT.post_name} template variable is interpolated without JavaScript-context escaping into an inline onclick handler in both comment block positions:
themes/default/modules/comment/comment.tplline 27 (top-level comments)themes/default/modules/comment/comment.tplline 64 (nested/reply comments)
onclick="nv_commment_feedback(event, {COMMENT.cid}, '{COMMENT.post_name}')"
Root Cause
The first_name and last_name profile fields are sanitized with HTML numeric character references (' → ', ( → (, ) → ), / → /) via Request::_get_title() with $specialchars = true. This encoding is correct for plain HTML attribute and element contexts, but insufficient for a JavaScript string literal embedded inside an HTML attribute.
Browsers decode HTML entities in attribute values before the JavaScript engine parses the string. As a result, ' is decoded back to ', which terminates the JS string early and allows the remainder of the value to be executed as JavaScript.
The combined display name (nv_show_name_user(first_name, last_name)) is what reaches the template, giving an attacker up to ~200 encoded characters across both fields, sufficient for any practical payload.
Proof of Concept
Set first_name to the following value in profile settings (/index.php?nv=users&op=editinfo), then post any comment:
a');alert(document.domain);//
The value is stored as a');alert(document.domain);//.
When a visitor clicks the Reply link on the comment, the browser renders:
nv_commment_feedback(event, 1, 'a');alert(document.domain);// Tester')
causing alert(document.domain) to execute in the visitor's browser context.
A data-exfiltration variant (split across both name fields) navigates the victim's browser to an attacker-controlled URL carrying document.cookie as a query parameter. End-to-end verification was performed using a local listener.
Exploitation Conditions (default configuration)
| Condition | Default value | Effect |
|---|---|---|
captcha_area_comm |
1 |
No CAPTCHA for logged-in users, payload delivery requires no CAPTCHA solve |
auto_postcomm |
enabled | Comments are published immediately without moderation |
active_editinfo_censor |
0 |
Profile edits take effect immediately without admin review |
CSP script-src |
'unsafe-inline' |
Inline onclick handlers execute normally |
Any registered member can set the payload and post a comment with no additional steps.
If captcha_area_comm is set to 0, the name field of anonymous comments (modules/comment/funcs/post.php) is processed by the same get_title(..., 1) call, making exploitation possible without authentication.
Resources
- OWASP: Cross Site Scripting Prevention, Rule 2: Attribute Encoding is Not Sufficient for JS Contexts
- CWE-79: Improper Neutralization of Input During Web Page Generation
- CWE-116: Improper Encoding or Escaping of Output
Impact
An attacker with a regular user account can execute arbitrary JavaScript in the browser of any visitor who interacts with the Reply button on their comment, including site administrators.
Practical consequences include:
- Privilege escalation via admin session hijacking, forging administrative actions (content modification, account manipulation) in the context of an authenticated admin.
- Credential phishing, injecting a fake login form into the page.
- Data exfiltration, reading page content and non-
HttpOnlycookies.
Note: NukeViet session cookies carry the HttpOnly flag, so they are not directly readable via document.cookie; however, the above attack vectors remain fully viable.
Untrusted input is rendered as active markup in a victim's browser, which can run script in their session. Typical impact: session or credential theft, and actions taken as the user.
CVE-2026-49259 has a CVSS score of 8.7 (High). The vector is network-reachable, low privileges required, and user interaction required. A CVSS score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether this affects your application depends on whether the vulnerable code is present and reachable in your environment. A fixed version is available (4.6.00); upgrading removes the vulnerable code path.
Affected versions
Security releases
Kodem intelligence
Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.
Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter. Kodem's runtime-powered SCA identifies whether this CVE is reachable in your applications.
Already deployed Kodem?
See it in your environmentNew to Kodem? Get a demo →Remediation advice
Preferred fix: Remove post_name from the inline handler entirely. Pass only cid to nv_commment_feedback and have the function retrieve the display name from the already-rendered DOM (e.g., the adjacent <strong class="cm_item"> element).
Alternative fix: If the value must be passed inline, encode it with json_encode($post_name) (PHP) so that the output is a properly escaped JavaScript string literal, not an HTML-entity-encoded one. HTML numeric character references must not be relied upon for JavaScript string escaping.
As a general note, the result of get_title(..., $specialchars=true) is safe for HTML element content and quoted HTML attribute values, but unsafe when placed inside a JavaScript string literal within an attribute. Other locations in the codebase using the same pattern should be audited.
Frequently Asked Questions
- What is CVE-2026-49259? CVE-2026-49259 is a high-severity cross-site scripting (XSS) vulnerability in nukeviet/nukeviet (composer), affecting versions < 4.5.09. It is fixed in 4.6.00. Untrusted input is rendered as active markup in a victim's browser, which can run script in their session.
- How severe is CVE-2026-49259? CVE-2026-49259 has a CVSS score of 8.7 (High). This score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether it represents real risk in your environment depends on whether the vulnerable code is present and reachable.
- Which versions of nukeviet/nukeviet are affected by CVE-2026-49259? nukeviet/nukeviet (composer) versions < 4.5.09 is affected.
- Is there a fix for CVE-2026-49259? Yes. CVE-2026-49259 is fixed in 4.6.00. Upgrade to this version or later.
- Is CVE-2026-49259 exploitable, and should I be worried? Whether CVE-2026-49259 is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo
- What actually determines whether CVE-2026-49259 is exploitable, and how bad it is? Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.
- How do I fix CVE-2026-49259? Upgrade
nukeviet/nukevietto 4.6.00 or later.