Zomplog 3.9 Cross-Site Scripting Vulnerability via Page Creation

Advisories

severity: medium
date: December 15, 2025
Affecting: Zomplog 3.9
CVE: CVE-2023-53887
CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVSS: 5.1
CVSS V4 Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N
References: ExploitDB-51625
Zomplog Archived Product Webpage
Credit: Mirabbas Ağalarov
Description: Zomplog 3.9 contains a cross-site scripting vulnerability that allows authenticated users to inject malicious scripts when creating new pages. Attackers can craft malicious image source and onerror attributes to execute arbitrary JavaScript code in victim's browser.