XMB Forum 1.9.12.06 Persistent Cross-Site Scripting via Admin Templates

Advisories

severity: medium
date: December 11, 2025
Affecting: XMB Forum 1.9.12.06
CVE: CVE-2024-58292
CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVSS: 5.3
CVSS V4 Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N
References: ExploitDB-52044
XMB Forum Homepage
Official Software Download
Credit: Chokri Hammedi
Description: XMB Forum 1.9.12.06 contains a persistent cross-site scripting vulnerability that allows authenticated administrators to inject malicious JavaScript into templates and front page settings. Attackers can insert XSS payloads in footer templates and news ticker fields, enabling script execution for all forum users when pages are rendered.