CVE-2026-48788

June 17, 2026, 4:28 p.m.

8.2
High

Description

Remark42 is a self-hosted comment engine for blogs, articles, or any other place where readers can add comments. Versions 1.6.0 through 1.15.0 contain a Cross-Site Scripting (XSS) vulnerability exploitable through content-type spoofing. The Remark42 image proxy fetches an arbitrary remote URL and re-serves the response from Remark42's own origin. During the download phase, the proxy determines whether the resource is an image by inspecting only the Content-Type header advertised by the remote server, never examining the actual bytes; during the serving phase, it instead derives the response Content-Type by sniffing those bytes with http.DetectContentType. An attacker can exploit this inconsistency by hosting a URL that advertises Content-Type: image/png while returning an HTML/JavaScript body: the download check accepts it as an image, the serving path sniffs the body and emits Content-Type: text/html, and the browser renders the attacker-controlled HTML/JavaScript as a document within Remark42's origin. Exploitation requires no Remark42 account on the target instance; the attacker only needs to host the malicious upstream URL and deliver the proxy link to a victim by any means, such as email, direct message, or a link on another website. This issue has been fixed in version 1.16.0.

Product(s) Impacted

Vendor Product Versions
Remark42
  • Remark42
  • 1.6.0-1.15.0, 1.16.0

Weaknesses

Common security weaknesses mapped to this vulnerability.

CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

*CPE(s)

Affected systems and software identified for this CVE.

Type Vendor Product Version Update Edition Language Software Edition Target Software Target Hardware Other Information
a remark42 remark42 1.6.0-1.15.0 / / / / / / /
a remark42 remark42 1.16.0 / / / / / / /

References

https://github.com/umputun/remark42/commit/78d6de6bce1e961f023969da3ec8a00dd80c9ae8
https://github.com/umputun/remark42/releases/tag/v1.16.0
https://github.com/umputun/remark42/security/advisories/GHSA-4c8j-mgm4-qqvp
https://github.com/umputun/remark42/security/advisories/GHSA-4c8j-mgm4-qqvp

Tags

[email protected]
CWE-79
2026-06-17
CVE-2026-48788

CVSS Score

8.2 / 10

CVSS Data - 3.0

  • Attack Vector: NETWORK
  • Attack Complexity: LOW
  • Privileges Required: NONE
  • Scope: CHANGED
  • Confidentiality Impact: HIGH
  • Integrity Impact: LOW
  • Availability Impact: NONE

    • CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N

    View Vector String

Timeline

Published: June 17, 2026, 1:20 p.m.
Last Modified: June 17, 2026, 4:28 p.m.

Status : Deferred

When a CVE is given this status the NVD does not plan analyze or re-analyze this CVE due to resource or other concerns.

More info

Source

[email protected]

*Disclaimer: Some vulnerabilities do not have an associated CPE. To enhance the data, we use AI to infer CPEs based on CVE details. This is an automated process and might not always be accurate.