A vulnerability has been found in dameng100 muucmf 1.9.5.20260309. The affected element is an unknown function of the file channel/admin.Account/autoReply.html. Such manipulation of the argument keyword leads to cross site scripting. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
PUBLISHED5.2CWE-79CWE-94
dameng100 muucmf autoReply.html cross site scripting
Problem type
Affected products
dameng100
muucmf
1.9.5.20260309 - AFFECTED
References
VDB-353151 | dameng100 muucmf autoReply.html cross site scripting
https://vuldb.com/?id.353151
VDB-353151 | CTI Indicators (IOB, IOC, TTP, IOA)
https://vuldb.com/?ctiid.353151
Submit #776190 | MuuCmf MuuCmf T6 cms 1.9.5.20260309 Improper Neutralization of Alternate XSS Syntax
https://vuldb.com/?submit.776190
thinhneee.github.io
https://thinhneee.github.io/posts/muucmf-xss-channel/
GitHub Security Advisories
GHSA-hxcx-9gwg-xxw5
A vulnerability has been found in dameng100 muucmf 1.9.5.20260309. The affected element is an...
https://github.com/advisories/GHSA-hxcx-9gwg-xxw5A vulnerability has been found in dameng100 muucmf 1.9.5.20260309. The affected element is an unknown function of the file channel/admin.Account/autoReply.html. Such manipulation of the argument keyword leads to cross site scripting. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
nvd.nist.gov
https://nvd.nist.gov/vuln/detail/CVE-2026-4846
thinhneee.github.io
https://thinhneee.github.io/posts/muucmf-xss-channel
vuldb.com
https://vuldb.com/?ctiid.353151
vuldb.com
https://vuldb.com/?id.353151
vuldb.com
https://vuldb.com/?submit.776190
github.com
https://github.com/advisories/GHSA-hxcx-9gwg-xxw5
JSON source
https://cveawg.mitre.org/api/cve/CVE-2026-4846Click to expand
{
"dataType": "CVE_RECORD",
"dataVersion": "5.2",
"cveMetadata": {
"cveId": "CVE-2026-4846",
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"dateUpdated": "2026-03-26T18:25:37.762Z",
"dateReserved": "2026-03-25T14:51:29.579Z",
"datePublished": "2026-03-26T05:31:37.697Z",
"state": "PUBLISHED"
},
"containers": {
"cna": {
"providerMetadata": {
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB",
"dateUpdated": "2026-03-26T05:31:37.697Z"
},
"title": "dameng100 muucmf autoReply.html cross site scripting",
"descriptions": [
{
"lang": "en",
"value": "A vulnerability has been found in dameng100 muucmf 1.9.5.20260309. The affected element is an unknown function of the file channel/admin.Account/autoReply.html. Such manipulation of the argument keyword leads to cross site scripting. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way."
}
],
"affected": [
{
"vendor": "dameng100",
"product": "muucmf",
"versions": [
{
"version": "1.9.5.20260309",
"status": "affected"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"lang": "en",
"description": "Cross Site Scripting",
"cweId": "CWE-79",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"lang": "en",
"description": "Code Injection",
"cweId": "CWE-94",
"type": "CWE"
}
]
}
],
"references": [
{
"url": "https://vuldb.com/?id.353151",
"name": "VDB-353151 | dameng100 muucmf autoReply.html cross site scripting",
"tags": [
"vdb-entry",
"technical-description"
]
},
{
"url": "https://vuldb.com/?ctiid.353151",
"name": "VDB-353151 | CTI Indicators (IOB, IOC, TTP, IOA)",
"tags": [
"signature",
"permissions-required"
]
},
{
"url": "https://vuldb.com/?submit.776190",
"name": "Submit #776190 | MuuCmf MuuCmf T6 cms 1.9.5.20260309 Improper Neutralization of Alternate XSS Syntax",
"tags": [
"third-party-advisory"
]
},
{
"url": "https://thinhneee.github.io/posts/muucmf-xss-channel/",
"tags": [
"exploit"
]
}
],
"metrics": [
{},
{
"cvssV3_1": {
"version": "3.1",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R",
"baseScore": 4.3,
"baseSeverity": "MEDIUM"
}
},
{
"cvssV3_0": {
"version": "3.0",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R",
"baseScore": 4.3,
"baseSeverity": "MEDIUM"
}
},
{
"cvssV2_0": {
"version": "2.0",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N/E:POC/RL:ND/RC:UR",
"baseScore": 5
}
}
],
"timeline": [
{
"time": "2026-03-25T00:00:00.000Z",
"lang": "en",
"value": "Advisory disclosed"
},
{
"time": "2026-03-25T01:00:00.000Z",
"lang": "en",
"value": "VulDB entry created"
},
{
"time": "2026-03-25T15:56:43.000Z",
"lang": "en",
"value": "VulDB entry last update"
}
],
"credits": [
{
"lang": "en",
"value": "thinhnee (VulDB User)",
"type": "reporter"
},
{
"lang": "en",
"value": "VulDB",
"type": "coordinator"
}
]
},
"adp": [
{
"providerMetadata": {
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP",
"dateUpdated": "2026-03-26T18:25:37.762Z"
},
"title": "CISA ADP Vulnrichment",
"metrics": [
{}
]
}
]
}
}