{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-48788", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-05-22T20:18:20.365Z", "datePublished": "2026-06-16T22:29:38.877Z", "dateUpdated": "2026-06-17T13:20:11.543Z"}, "containers": {"cna": {"title": "Remark42: Cross-Site Scripting (XSS) on /api/v1/img via content-type spoofing", "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "lang": "en", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-436", "lang": "en", "description": "CWE-436: Interpretation Conflict", "type": "CWE"}]}], "metrics": [{"cvssV3_0": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.2, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N", "version": "3.0"}}], "references": [{"name": "https://github.com/umputun/remark42/security/advisories/GHSA-4c8j-mgm4-qqvp", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/umputun/remark42/security/advisories/GHSA-4c8j-mgm4-qqvp"}, {"name": "https://github.com/umputun/remark42/commit/78d6de6bce1e961f023969da3ec8a00dd80c9ae8", "tags": ["x_refsource_MISC"], "url": "https://github.com/umputun/remark42/commit/78d6de6bce1e961f023969da3ec8a00dd80c9ae8"}, {"name": "https://github.com/umputun/remark42/releases/tag/v1.16.0", "tags": ["x_refsource_MISC"], "url": "https://github.com/umputun/remark42/releases/tag/v1.16.0"}], "affected": [{"vendor": "umputun", "product": "remark42", "versions": [{"version": ">= 1.6.0, < 1.16.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-06-16T22:29:38.877Z"}, "descriptions": [{"lang": "en", "value": "Remark42 is a self-hosted comment engine for blogs, articles, or any other place where readers can add comments. Versions 1.6.0 through 1.15.0 contain a Cross-Site Scripting (XSS) vulnerability exploitable through content-type spoofing. The Remark42 image proxy fetches an arbitrary remote URL and re-serves the response from Remark42's own origin. During the download phase, the proxy determines whether the resource is an image by inspecting only the Content-Type header advertised by the remote server, never examining the actual bytes; during the serving phase, it instead derives the response Content-Type by sniffing those bytes with http.DetectContentType. An attacker can exploit this inconsistency by hosting a URL that advertises Content-Type: image/png while returning an HTML/JavaScript body: the download check accepts it as an image, the serving path sniffs the body and emits Content-Type: text/html, and the browser renders the attacker-controlled HTML/JavaScript as a document within Remark42's origin. Exploitation requires no Remark42 account on the target instance; the attacker only needs to host the malicious upstream URL and deliver the proxy link to a victim by any means, such as email, direct message, or a link on another website. This issue has been fixed in version 1.16.0."}], "source": {"advisory": "GHSA-4c8j-mgm4-qqvp", "discovery": "UNKNOWN"}}, "adp": [{"references": [{"url": "https://github.com/umputun/remark42/security/advisories/GHSA-4c8j-mgm4-qqvp", "tags": ["exploit"]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-06-17T13:19:50.596883Z", "id": "CVE-2026-48788", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-06-17T13:20:11.543Z"}}]}}

{}

{}

{}