dameng100 muucmf index.html cross site scripting

A flaw has been found in dameng100 muucmf 1.9.5.20260309. Impacted is an unknown function of the file /admin/Member/index.html. This manipulation of the argument Search causes cross site scripting. It is possible to initiate the attack remotely. The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

Problem type

Affected products

dameng100

muucmf

1.9.5.20260309 - AFFECTED

References

VDB-353150 | dameng100 muucmf index.html cross site scripting

https://vuldb.com/?id.353150

vdb-entrytechnical-description

VDB-353150 | CTI Indicators (IOB, IOC, TTP, IOA)

https://vuldb.com/?ctiid.353150

signaturepermissions-required

Submit #776174 | MuuCmf https://gitee.com/dameng100/muucmf 1.9.5.20260309 Improper Neutralization of Alternate XSS Syntax

https://vuldb.com/?submit.776174

third-party-advisory

thinhneee.github.io

https://thinhneee.github.io/posts/muucmf-xss/

exploit

GitHub Security Advisories

GHSA-39hw-jm9g-6r53

A flaw has been found in dameng100 muucmf 1.9.5.20260309. Impacted is an unknown function of the...

https://github.com/advisories/GHSA-39hw-jm9g-6r53

nvd.nist.gov

https://nvd.nist.gov/vuln/detail/CVE-2026-4845

thinhneee.github.io

https://thinhneee.github.io/posts/muucmf-xss

vuldb.com

https://vuldb.com/?ctiid.353150

vuldb.com

https://vuldb.com/?id.353150

vuldb.com

https://vuldb.com/?submit.776174

github.com

https://github.com/advisories/GHSA-39hw-jm9g-6r53

JSON source

https://cveawg.mitre.org/api/cve/CVE-2026-4845

Click to expand

{
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "cveMetadata": {
    "cveId": "CVE-2026-4845",
    "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
    "assignerShortName": "VulDB",
    "dateUpdated": "2026-03-26T13:54:43.815Z",
    "dateReserved": "2026-03-25T14:51:22.498Z",
    "datePublished": "2026-03-26T05:31:34.746Z",
    "state": "PUBLISHED"
  },
  "containers": {
    "cna": {
      "providerMetadata": {
        "orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
        "shortName": "VulDB",
        "dateUpdated": "2026-03-26T05:31:34.746Z"
      },
      "title": "dameng100 muucmf index.html cross site scripting",
      "descriptions": [
        {
          "lang": "en",
          "value": "A flaw has been found in dameng100 muucmf 1.9.5.20260309. Impacted is an unknown function of the file /admin/Member/index.html. This manipulation of the argument Search causes cross site scripting. It is possible to initiate the attack remotely. The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way."
        }
      ],
      "affected": [
        {
          "vendor": "dameng100",
          "product": "muucmf",
          "versions": [
            {
              "version": "1.9.5.20260309",
              "status": "affected"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "lang": "en",
              "description": "Cross Site Scripting",
              "cweId": "CWE-79",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "lang": "en",
              "description": "Code Injection",
              "cweId": "CWE-94",
              "type": "CWE"
            }
          ]
        }
      ],
      "references": [
        {
          "url": "https://vuldb.com/?id.353150",
          "name": "VDB-353150 | dameng100 muucmf index.html cross site scripting",
          "tags": [
            "vdb-entry",
            "technical-description"
          ]
        },
        {
          "url": "https://vuldb.com/?ctiid.353150",
          "name": "VDB-353150 | CTI Indicators (IOB, IOC, TTP, IOA)",
          "tags": [
            "signature",
            "permissions-required"
          ]
        },
        {
          "url": "https://vuldb.com/?submit.776174",
          "name": "Submit #776174 | MuuCmf https://gitee.com/dameng100/muucmf 1.9.5.20260309 Improper Neutralization of Alternate XSS Syntax",
          "tags": [
            "third-party-advisory"
          ]
        },
        {
          "url": "https://thinhneee.github.io/posts/muucmf-xss/",
          "tags": [
            "exploit"
          ]
        }
      ],
      "metrics": [
        {},
        {
          "cvssV3_1": {
            "version": "3.1",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R",
            "baseScore": 4.3,
            "baseSeverity": "MEDIUM"
          }
        },
        {
          "cvssV3_0": {
            "version": "3.0",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R",
            "baseScore": 4.3,
            "baseSeverity": "MEDIUM"
          }
        },
        {
          "cvssV2_0": {
            "version": "2.0",
            "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N/E:POC/RL:ND/RC:UR",
            "baseScore": 5
          }
        }
      ],
      "timeline": [
        {
          "time": "2026-03-25T00:00:00.000Z",
          "lang": "en",
          "value": "Advisory disclosed"
        },
        {
          "time": "2026-03-25T01:00:00.000Z",
          "lang": "en",
          "value": "VulDB entry created"
        },
        {
          "time": "2026-03-25T15:56:41.000Z",
          "lang": "en",
          "value": "VulDB entry last update"
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": "thinhnee (VulDB User)",
          "type": "reporter"
        },
        {
          "lang": "en",
          "value": "VulDB",
          "type": "coordinator"
        }
      ]
    },
    "adp": [
      {
        "providerMetadata": {
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP",
          "dateUpdated": "2026-03-26T13:54:43.815Z"
        },
        "title": "CISA ADP Vulnrichment",
        "metrics": [
          {}
        ]
      }
    ]
  }
}