GHSA-8RQ5-WWPP-FMJ2

Vulnerability from github – Published: 2026-05-05 20:32 – Updated: 2026-05-13 16:24
VLAI?
Summary
YAFNET has Stored XSS in Forum Thread Posts/Replies that Allows Arbitrary JavaScript Execution for All Thread Viewers
Details

Description: Stored Cross-Site Scripting (XSS) occurs when user-supplied input is persisted by the application and later rendered in another user's browser without proper sanitization or contextual output encoding. When the vulnerable sink is a high-traffic surface such as a public forum thread, the payload executes in the browser of every user who visits the page, maximizing both reach and impact. Any JavaScript injected through such a sink runs under the application's origin and inherits the privileges of whichever user happens to view the affected content.

Issue Details: The thread posting and reply feature accepts user-supplied content that is stored server-side and later rendered back into the thread page without adequate HTML sanitization or contextual output encoding. Submitting a post or reply containing "><img src=x onerror=prompt(0)> causes the payload to break out of the surrounding HTML context and inject a fully attacker-controlled <img> element whose onerror handler fires automatically as soon as the broken image reference fails to load. Because posts and replies are visible to every user who visits the thread, authenticated or otherwise, the injected JavaScript executes in each viewer's browser the moment the page renders, with no additional interaction required.

Impact: An attacker with a standard forum account can execute arbitrary JavaScript in the browser of every user who loads the affected thread, including moderators and administrators. This enables session/auth-cookie theft, account takeover through same-origin state-changing requests, forced privileged actions if an administrator views the thread, credential phishing via injected login overlays, forum defacement, cryptominer or malware delivery, and mass redirection of viewers to attacker-controlled sites. Because the payload triggers automatically on page load rather than requiring hover or click interaction, a single malicious post can compromise a large number of users very quickly.

Likelihood: Exploitation requires only a registered account with permission to post or reply, which is available to every forum member by default. Once posted, the payload fires automatically for any visitor who opens the thread, requiring zero victim interaction and making the overall likelihood high.

Steps to Reproduce: - Log in to the forum as any low-privileged user (Attacker). - Navigate to any thread where posting or replying is allowed, or create a new thread. - In the post/reply body, submit the payload: "><img src=x onerror=prompt(0)> - Publish the post or reply. - Log in as a different user (e.g., Admin) or visit the thread in a separate browser session. - Open the thread page, the injected <img> fails to load and the onerror handler fires, producing a prompt(0) dialog and confirming arbitrary JavaScript execution in the viewer's session context. image

Severity ?
7.3 (High)
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N
Show details on source website
To clipboard 

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 4.0.4"
      },
      "package": {
        "ecosystem": "NuGet",
        "name": "YAFNET.Core"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "4.0.0-beta01"
            },
            {
              "fixed": "4.0.5"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 3.2.11"
      },
      "package": {
        "ecosystem": "NuGet",
        "name": "YAFNET.Core"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "3.2.12"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-43939"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-116",
      "CWE-79",
      "CWE-80"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-05-05T20:32:47Z",
    "nvd_published_at": "2026-05-12T15:16:15Z",
    "severity": "HIGH"
  },
  "details": "**Description:**\nStored Cross-Site Scripting (XSS) occurs when user-supplied input is persisted by the application and later rendered in another user\u0027s browser without proper sanitization or contextual output encoding. When the vulnerable sink is a high-traffic surface such as a public forum thread, the payload executes in the browser of every user who visits the page, maximizing both reach and impact. Any JavaScript injected through such a sink runs under the application\u0027s origin and inherits the privileges of whichever user happens to view the affected content.\n\n**Issue Details:**\nThe thread posting and reply feature accepts user-supplied content that is stored server-side and later rendered back into the thread page without adequate HTML sanitization or contextual output encoding. Submitting a post or reply containing `\"\u003e\u003cimg src=x onerror=prompt(0)\u003e` causes the payload to break out of the surrounding HTML context and inject a fully attacker-controlled `\u003cimg\u003e` element whose `onerror` handler fires automatically as soon as the broken image reference fails to load. Because posts and replies are visible to every user who visits the thread, authenticated or otherwise, the injected JavaScript executes in each viewer\u0027s browser the moment the page renders, with no additional interaction required.\n\n**Impact:**\nAn attacker with a standard forum account can execute arbitrary JavaScript in the browser of every user who loads the affected thread, including moderators and administrators. This enables session/auth-cookie theft, account takeover through same-origin state-changing requests, forced privileged actions if an administrator views the thread, credential phishing via injected login overlays, forum defacement, cryptominer or malware delivery, and mass redirection of viewers to attacker-controlled sites. Because the payload triggers automatically on page load rather than requiring hover or click interaction, a single malicious post can compromise a large number of users very quickly.\n\n**Likelihood:**\nExploitation requires only a registered account with permission to post or reply, which is available to every forum member by default. Once posted, the payload fires automatically for any visitor who opens the thread, requiring zero victim interaction and making the overall likelihood high.\n\n**Steps to Reproduce:**\n- Log in to the forum as any low-privileged user (Attacker).\n- Navigate to any thread where posting or replying is allowed, or create a new thread.\n- In the post/reply body, submit the payload: `\"\u003e\u003cimg src=x onerror=prompt(0)\u003e`\n- Publish the post or reply.\n- Log in as a different user (e.g., Admin) or visit the thread in a separate browser session.\n- Open the thread page, the injected `\u003cimg\u003e` fails to load and the `onerror` handler fires, producing a `prompt(0)` dialog and confirming arbitrary JavaScript execution in the viewer\u0027s session context.\n\u003cimg width=\"1127\" height=\"745\" alt=\"image\" src=\"https://github.com/user-attachments/assets/b93442ea-1d8e-4079-ab4f-e52d41d110f3\" /\u003e",
  "id": "GHSA-8rq5-wwpp-fmj2",
  "modified": "2026-05-13T16:24:29Z",
  "published": "2026-05-05T20:32:47Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/YAFNET/YAFNET/security/advisories/GHSA-8rq5-wwpp-fmj2"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-43939"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/YAFNET/YAFNET"
    },
    {
      "type": "WEB",
      "url": "https://github.com/YAFNET/YAFNET/releases/tag/v3.2.12"
    },
    {
      "type": "WEB",
      "url": "https://github.com/YAFNET/YAFNET/releases/tag/v4.0.5"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "YAFNET has Stored XSS in Forum Thread Posts/Replies that Allows Arbitrary JavaScript Execution for All Thread Viewers"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.