{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-6648", "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "state": "PUBLISHED", "assignerShortName": "VulDB", "dateReserved": "2026-04-20T05:38:49.068Z", "datePublished": "2026-04-20T13:00:44.627Z", "dateUpdated": "2026-04-20T14:51:00.368Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "shortName": "VulDB", "dateUpdated": "2026-04-20T13:00:44.627Z"}, "title": "Qibo CMS Internal Message cross site scripting", "problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-79", "lang": "en", "description": "Cross Site Scripting"}]}, {"descriptions": [{"type": "CWE", "cweId": "CWE-94", "lang": "en", "description": "Code Injection"}]}], "affected": [{"vendor": "Qibo", "product": "CMS", "versions": [{"version": "1.0", "status": "affected"}], "modules": ["Internal Message Module"]}], "descriptions": [{"lang": "en", "value": "A vulnerability was found in Qibo CMS 1.0. Affected by this vulnerability is an unknown functionality of the component Internal Message Module. Performing a manipulation results in cross site scripting. The attack can be initiated remotely. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way."}], "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 5.1, "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P", "baseSeverity": "MEDIUM"}}, {"cvssV3_1": {"version": "3.1", "baseScore": 3.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R", "baseSeverity": "LOW"}}, {"cvssV3_0": {"version": "3.0", "baseScore": 3.5, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R", "baseSeverity": "LOW"}}, {"cvssV2_0": {"version": "2.0", "baseScore": 4, "vectorString": "AV:N/AC:L/Au:S/C:N/I:P/A:N/E:POC/RL:ND/RC:UR"}}], "timeline": [{"time": "2026-04-20T00:00:00.000Z", "lang": "en", "value": "Advisory disclosed"}, {"time": "2026-04-20T02:00:00.000Z", "lang": "en", "value": "VulDB entry created"}, {"time": "2026-04-20T07:43:53.000Z", "lang": "en", "value": "VulDB entry last update"}], "credits": [{"lang": "en", "value": "EthX0_ (VulDB User)", "type": "reporter"}, {"lang": "en", "value": "VulDB CNA Team", "type": "coordinator"}], "references": [{"url": "https://vuldb.com/vuln/358282", "name": "VDB-358282 | Qibo CMS Internal Message cross site scripting", "tags": ["vdb-entry"]}, {"url": "https://vuldb.com/vuln/358282/cti", "name": "VDB-358282 | CTI Indicators (IOB, IOC, TTP)", "tags": ["signature", "permissions-required"]}, {"url": "https://vuldb.com/submit/793450", "name": "Submit #793450 | Guangzhou Qibo Network Technology Co., Ltd. Qibo CMS (x1_of_cms) X1.0 XSS", "tags": ["third-party-advisory"]}, {"url": "https://tcn60zf28jhk.feishu.cn/wiki/FHHMwcwCliOd0Bke3XkcEz3Enuc?from=from_copylink", "tags": ["exploit"]}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-20T14:49:41.997238Z", "id": "CVE-2026-6648", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-20T14:51:00.368Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-6648", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-20T14:49:41.997238Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-20T14:50:49.699Z"}}], "cna": {"title": "Qibo CMS Internal Message cross site scripting", "credits": [{"lang": "en", "type": "reporter", "value": "EthX0_ (VulDB User)"}, {"lang": "en", "type": "coordinator", "value": "VulDB CNA Team"}], "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 5.1, "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P"}}, {"cvssV3_1": {"version": "3.1", "baseScore": 3.5, "baseSeverity": "LOW", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R"}}, {"cvssV3_0": {"version": "3.0", "baseScore": 3.5, "baseSeverity": "LOW", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R"}}, {"cvssV2_0": {"version": "2.0", "baseScore": 4, "vectorString": "AV:N/AC:L/Au:S/C:N/I:P/A:N/E:POC/RL:ND/RC:UR"}}], "affected": [{"vendor": "Qibo", "modules": ["Internal Message Module"], "product": "CMS", "versions": [{"status": "affected", "version": "1.0"}]}], "timeline": [{"lang": "en", "time": "2026-04-20T00:00:00.000Z", "value": "Advisory disclosed"}, {"lang": "en", "time": "2026-04-20T02:00:00.000Z", "value": "VulDB entry created"}, {"lang": "en", "time": "2026-04-20T07:43:53.000Z", "value": "VulDB entry last update"}], "references": [{"url": "https://vuldb.com/vuln/358282", "name": "VDB-358282 | Qibo CMS Internal Message cross site scripting", "tags": ["vdb-entry"]}, {"url": "https://vuldb.com/vuln/358282/cti", "name": "VDB-358282 | CTI Indicators (IOB, IOC, TTP)", "tags": ["signature", "permissions-required"]}, {"url": "https://vuldb.com/submit/793450", "name": "Submit #793450 | Guangzhou Qibo Network Technology Co., Ltd. Qibo CMS (x1_of_cms) X1.0 XSS", "tags": ["third-party-advisory"]}, {"url": "https://tcn60zf28jhk.feishu.cn/wiki/FHHMwcwCliOd0Bke3XkcEz3Enuc?from=from_copylink", "tags": ["exploit"]}], "descriptions": [{"lang": "en", "value": "A vulnerability was found in Qibo CMS 1.0. Affected by this vulnerability is an unknown functionality of the component Internal Message Module. Performing a manipulation results in cross site scripting. The attack can be initiated remotely. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "Cross Site Scripting"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-94", "description": "Code Injection"}]}], "providerMetadata": {"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "shortName": "VulDB", "dateUpdated": "2026-04-20T13:00:44.627Z"}}}, "cveMetadata": {"cveId": "CVE-2026-6648", "state": "PUBLISHED", "dateUpdated": "2026-04-20T14:51:00.368Z", "dateReserved": "2026-04-20T05:38:49.068Z", "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "datePublished": "2026-04-20T13:00:44.627Z", "assignerShortName": "VulDB"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "A vulnerability was found in Qibo CMS 1.0. Affected by this vulnerability is an unknown functionality of the component Internal Message Module. Performing a manipulation results in cross site scripting. The attack can be initiated remotely. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way."}], "id": "CVE-2026-6648", "lastModified": "2026-04-20T13:16:11.647", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "NONE", "baseScore": 4.0, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:S/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 8.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "cna@vuldb.com", "type": "Secondary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 3.5, "baseSeverity": "LOW", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.1, "impactScore": 1.4, "source": "cna@vuldb.com", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 5.1, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "PROOF_OF_CONCEPT", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "PASSIVE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "LOW", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "cna@vuldb.com", "type": "Secondary"}]}, "published": "2026-04-20T13:16:11.647", "references": [{"source": "cna@vuldb.com", "url": "https://tcn60zf28jhk.feishu.cn/wiki/FHHMwcwCliOd0Bke3XkcEz3Enuc?from=from_copylink"}, {"source": "cna@vuldb.com", "url": "https://vuldb.com/submit/793450"}, {"source": "cna@vuldb.com", "url": "https://vuldb.com/vuln/358282"}, {"source": "cna@vuldb.com", "url": "https://vuldb.com/vuln/358282/cti"}], "sourceIdentifier": "cna@vuldb.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}, {"lang": "en", "value": "CWE-94"}], "source": "cna@vuldb.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "1.0"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "CMS", "source": "cna", "vendor": "Qibo"}, "product": "cms", "vendor": "qibo"}], "analysis": {"en": {"generated_at": "2026-04-20T15:05:50.923613+00:00", "value": {"mitigation_remediation": ["Deploy a web application firewall to filter or block malicious payloads in the internal message module.", "Apply any vendor\u2011issued patch or update as soon as it becomes available.", "Restrict or disable the internal message feature for untrusted users, or sanitize input to neutralise XSS payloads."], "summary": {"action": "Apply Patch", "impact": "Cross-site scripting"}, "threat_synthesis": {"affected_systems": "Qibo CMS 1.0, specifically the internal Message Module. The vendor, Qibo, has not issued a fix and has not responded to the disclosed vulnerability.", "description_and_impact": "A flaw in the internal Message Module of Qibo CMS 1.0 allows an attacker to inject arbitrary script or HTML when manipulating messages, resulting in cross\u2011site scripting when the affected user views it. The vulnerability is exploitable through normal web requests and can execute code within the victim\u2019s browser context.", "risk_and_exploitability": "The CVSS score of 5.1 indicates moderate severity, and while the EPSS score is not available, the exploit has been made public, suggesting that attackers can readily target the vulnerability. The flaw can be triggered remotely, and the lack of a vendor fix or KEV listing increases the risk of ongoing exploitation. Given the remote nature of the attack vector, any user who views a crafted message could have their browser session hijacked or other malicious actions performed. The CVE description does not specify authentication requirements, implying that the vulnerability may affect all users who access the affected functionality."}}}}, "created": "2026-04-20T14:57:48.456517+00:00", "updated": "2026-04-20T15:15:09.867069+00:00", "vendors": ["qibo", "qibo$PRODUCT$cms"]}