Vulnerability Description
Nukegraphic CMS v3.1.2 contains a stored cross-site scripting (XSS) vulnerability in the user profile edit functionality at /ngc-cms/user-edit-profile.php. The application fails to properly sanitize user input in the name field before storing it in the database and rendering it across multiple CMS pages. An authenticated attacker with low privileges can inject malicious JavaScript payloads through the profile edit request, which are then executed site-wide whenever the affected user's name is displayed. This allows the attacker to execute arbitrary JavaScript in the context of other users' sessions, potentially leading to session hijacking, credential theft, or unauthorized actions performed on behalf of victims.
Related Weaknesses (CWE)
References
FAQ
What is CVE-2026-1953?
CVE-2026-1953 is a documented vulnerability. Nukegraphic CMS v3.1.2 contains a stored cross-site scripting (XSS) vulnerability in the user profile edit functionality at /ngc-cms/user-edit-profile.php. The application fails to properly sanitize u...
How severe is CVE-2026-1953?
CVSS scoring is not yet available for CVE-2026-1953. Check NVD for updates.
Is there a patch for CVE-2026-1953?
Check the references section above for vendor advisories and patch information. Review vendor security bulletins for remediation guidance.