Five vulnerabilities have been identified in nukeviet/nukeviet, affecting the Comment module, Request filtering mechanism, file handling, and server information update functionality. The flaws include reflected and stored Cross-Site Scripting (XSS), path traversal leading to arbitrary file deletion, and Server-Side Request Forgery (SSRF). These issues allow attackers to execute JavaScript in user browsers, steal sensitive information, perform phishing attacks, delete critical application files, or force the server to make unauthorized requests. Some vulnerabilities require low-privileged or administrative access, while others can be exploited remotely without authentication. Users are advised to upgrade to patched versions and apply vendor-recommended fixes.
CVE-2026-48118 (CVSS 8.2 — High): An unauthenticated reflected XSS vulnerability was discovered in the Comment Module of NukeViet, allowing attackers to inject malicious code into user comments. This can lead to arbitrary code execution and potentially allow attackers to steal sensitive information or take control of affected systems.[/subscribe_to_unlock_form]
Five vulnerabilities have been identified in nukeviet/nukeviet, affecting the Comment module, Request filtering mechanism, file handling, and server information update functionality. The flaws include reflected and stored Cross-Site Scripting (XSS), path traversal leading to arbitrary file deletion, and Server-Side Request Forgery (SSRF). These issues allow attackers to execute JavaScript in user browsers, steal sensitive information, perform phishing attacks, delete critical application files, or force the server to make unauthorized requests. Some vulnerabilities require low-privileged or administrative access, while others can be exploited remotely without authentication. Users are advised to upgrade to patched versions and apply vendor-recommended fixes.
CVE-2026-48118 (CVSS 8.2 — High): An unauthenticated reflected XSS vulnerability was discovered in the Comment Module of NukeViet, allowing attackers to inject malicious code into user comments. This can lead to arbitrary code execution and potentially allow attackers to steal sensitive information or take control of affected systems.[emaillocker id="1283"]
CVE-2026-49259 (CVSS 8.7 — High): An improper neutralization of input during web page generation was found in NukeViet, resulting in a cross-site scripting vulnerability. This can be exploited by attackers to inject malicious scripts into user sessions and potentially steal sensitive information or take control of affected systems.
CVE-2026-54064 (CVSS 8.7 — High): Multiple anti-XSS filter bypasses were discovered in the News Module of NukeViet, leading to stored XSS vulnerabilities. This can allow attackers to inject malicious code into user sessions and potentially steal sensitive information or take control of affected systems.
CVE-2026-54065 (CVSS 8.7 — High): A path traversal vulnerability was found in the Edit Comment function of NukeViet, allowing attackers to delete arbitrary files on the system. This can lead to data loss and potentially allow attackers to gain unauthorized access to sensitive information.
CVE-2026-55372 (CVSS 7.2 — High): A pre-authentication SSRF vulnerability was discovered in NukeViet via the X-Forwarded-Host header, allowing attackers to perform server-side request forgery attacks on affected systems. This can lead to arbitrary code execution and potentially allow attackers to steal sensitive information or take control of affected systems.
We recommend you to update nukeviet/nukeviet to version 4.6.00 or later.
The following reports contain further technical details:
[/emaillocker]