{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-5249", "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "state": "PUBLISHED", "assignerShortName": "VulDB", "dateReserved": "2026-03-31T16:00:50.059Z", "datePublished": "2026-04-01T01:30:16.723Z", "dateUpdated": "2026-04-03T16:37:46.875Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "shortName": "VulDB", "dateUpdated": "2026-04-01T01:30:16.723Z"}, "title": "gougucms Record Endpoint record.html cross site scripting", "problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-79", "lang": "en", "description": "Cross Site Scripting"}]}, {"descriptions": [{"type": "CWE", "cweId": "CWE-94", "lang": "en", "description": "Code Injection"}]}], "affected": [{"vendor": "n/a", "product": "gougucms", "versions": [{"version": "4.08.18", "status": "affected"}], "cpes": ["cpe:2.3:a:gougucms:gougucms:*:*:*:*:*:*:*:*"], "modules": ["Record Endpoint"]}], "descriptions": [{"lang": "en", "value": "A vulnerability was found in gougucms 4.08.18. This impacts an unknown function of the file \\gougucms-master\\app\\admin\\view\\user\\record.html of the component Record Endpoint. Performing a manipulation of the argument value.content results in cross site scripting. It is possible to initiate the attack remotely. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way."}], "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 5.1, "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P", "baseSeverity": "MEDIUM"}}, {"cvssV3_1": {"version": "3.1", "baseScore": 3.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R", "baseSeverity": "LOW"}}, {"cvssV3_0": {"version": "3.0", "baseScore": 3.5, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R", "baseSeverity": "LOW"}}, {"cvssV2_0": {"version": "2.0", "baseScore": 4, "vectorString": "AV:N/AC:L/Au:S/C:N/I:P/A:N/E:POC/RL:ND/RC:UR"}}], "timeline": [{"time": "2026-03-31T00:00:00.000Z", "lang": "en", "value": "Advisory disclosed"}, {"time": "2026-03-31T02:00:00.000Z", "lang": "en", "value": "VulDB entry created"}, {"time": "2026-03-31T18:06:07.000Z", "lang": "en", "value": "VulDB entry last update"}], "credits": [{"lang": "en", "value": "thinhnee (VulDB User)", "type": "reporter"}, {"lang": "en", "value": "VulDB", "type": "coordinator"}], "references": [{"url": "https://vuldb.com/vuln/354430", "name": "VDB-354430 | gougucms Record Endpoint record.html cross site scripting", "tags": ["vdb-entry", "technical-description"]}, {"url": "https://vuldb.com/vuln/354430/cti", "name": "VDB-354430 | CTI Indicators (IOB, IOC, TTP, IOA)", "tags": ["signature", "permissions-required"]}, {"url": "https://vuldb.com/submit/780716", "name": "Submit #780716 | \u52fe\u80a1\u5f00\u6e90 gougucms v4.08.18 Stored XSS", "tags": ["third-party-advisory"]}, {"url": "https://thinhneee.github.io/posts/gougu-blind-xss/", "tags": ["exploit"]}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-03T16:37:27.179405Z", "id": "CVE-2026-5249", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-03T16:37:46.875Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-5249", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-03T16:37:27.179405Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-03T16:37:39.282Z"}}], "cna": {"title": "gougucms Record Endpoint record.html cross site scripting", "credits": [{"lang": "en", "type": "reporter", "value": "thinhnee (VulDB User)"}, {"lang": "en", "type": "coordinator", "value": "VulDB"}], "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 5.1, "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P"}}, {"cvssV3_1": {"version": "3.1", "baseScore": 3.5, "baseSeverity": "LOW", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R"}}, {"cvssV3_0": {"version": "3.0", "baseScore": 3.5, "baseSeverity": "LOW", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R"}}, {"cvssV2_0": {"version": "2.0", "baseScore": 4, "vectorString": "AV:N/AC:L/Au:S/C:N/I:P/A:N/E:POC/RL:ND/RC:UR"}}], "affected": [{"cpes": ["cpe:2.3:a:gougucms:gougucms:*:*:*:*:*:*:*:*"], "vendor": "n/a", "modules": ["Record Endpoint"], "product": "gougucms", "versions": [{"status": "affected", "version": "4.08.18"}]}], "timeline": [{"lang": "en", "time": "2026-03-31T00:00:00.000Z", "value": "Advisory disclosed"}, {"lang": "en", "time": "2026-03-31T02:00:00.000Z", "value": "VulDB entry created"}, {"lang": "en", "time": "2026-03-31T18:06:07.000Z", "value": "VulDB entry last update"}], "references": [{"url": "https://vuldb.com/vuln/354430", "name": "VDB-354430 | gougucms Record Endpoint record.html cross site scripting", "tags": ["vdb-entry", "technical-description"]}, {"url": "https://vuldb.com/vuln/354430/cti", "name": "VDB-354430 | CTI Indicators (IOB, IOC, TTP, IOA)", "tags": ["signature", "permissions-required"]}, {"url": "https://vuldb.com/submit/780716", "name": "Submit #780716 | \u52fe\u80a1\u5f00\u6e90 gougucms v4.08.18 Stored XSS", "tags": ["third-party-advisory"]}, {"url": "https://thinhneee.github.io/posts/gougu-blind-xss/", "tags": ["exploit"]}], "descriptions": [{"lang": "en", "value": "A vulnerability was found in gougucms 4.08.18. This impacts an unknown function of the file \\gougucms-master\\app\\admin\\view\\user\\record.html of the component Record Endpoint. Performing a manipulation of the argument value.content results in cross site scripting. It is possible to initiate the attack remotely. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "Cross Site Scripting"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-94", "description": "Code Injection"}]}], "providerMetadata": {"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "shortName": "VulDB", "dateUpdated": "2026-04-01T01:30:16.723Z"}}}, "cveMetadata": {"cveId": "CVE-2026-5249", "state": "PUBLISHED", "dateUpdated": "2026-04-03T16:37:46.875Z", "dateReserved": "2026-03-31T16:00:50.059Z", "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "datePublished": "2026-04-01T01:30:16.723Z", "assignerShortName": "VulDB"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "A vulnerability was found in gougucms 4.08.18. This impacts an unknown function of the file \\gougucms-master\\app\\admin\\view\\user\\record.html of the component Record Endpoint. Performing a manipulation of the argument value.content results in cross site scripting. It is possible to initiate the attack remotely. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way."}, {"lang": "es", "value": "Se encontr\u00f3 una vulnerabilidad en gougucms 4.08.18. Esto afecta una funci\u00f3n desconocida del archivo \\gougucms-master\\app\\admin\\view\\user\\record.html del componente Record Endpoint. Realizar una manipulaci\u00f3n del argumento value.content resulta en cross site scripting. Es posible iniciar el ataque de forma remota. El exploit ha sido hecho p\u00fablico y podr\u00eda ser utilizado. El proveedor fue contactado tempranamente sobre esta divulgaci\u00f3n, pero no respondi\u00f3 de ninguna manera."}], "id": "CVE-2026-5249", "lastModified": "2026-04-01T14:23:37.727", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "NONE", "baseScore": 4.0, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:S/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 8.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "cna@vuldb.com", "type": "Secondary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 3.5, "baseSeverity": "LOW", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.1, "impactScore": 1.4, "source": "cna@vuldb.com", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 5.1, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "PROOF_OF_CONCEPT", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "PASSIVE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "LOW", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "cna@vuldb.com", "type": "Secondary"}]}, "published": "2026-04-01T02:16:03.890", "references": [{"source": "cna@vuldb.com", "url": "https://thinhneee.github.io/posts/gougu-blind-xss/"}, {"source": "cna@vuldb.com", "url": "https://vuldb.com/submit/780716"}, {"source": "cna@vuldb.com", "url": "https://vuldb.com/vuln/354430"}, {"source": "cna@vuldb.com", "url": "https://vuldb.com/vuln/354430/cti"}], "sourceIdentifier": "cna@vuldb.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}, {"lang": "en", "value": "CWE-94"}], "source": "cna@vuldb.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "4.08.18"}}], "enrichment": {"confidence": 95.0, "confidence_source": "inferred", "scores": [{"score": 95.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "gougucms", "source": "cna", "vendor": "n/a"}, "product": "gougucms", "vendor": "gougucms"}], "analysis": {"en": {"generated_at": "2026-04-01T07:23:18.180945+00:00", "value": {"mitigation_remediation": ["Continuously monitor application logs and security tools for requests targeting /user/record.html that include unexpected or malicious value.content payloads.", "Implement input validation or sanitization on the value.content parameter before it is inserted into the page.", "Deploy a strong Content Security Policy that blocks inline scripts and restricts script sources for the affected pages.", "If the Record Endpoint feature is not needed, disable or remove it from the application to eliminate the attack surface.", "Regularly check the gougucms community forums or official website for an updated release or patch that addresses the XSS flaw."], "summary": {"action": "Monitor", "impact": "Cross\u2011Site Scripting"}, "threat_synthesis": {"affected_systems": "The flaw affects the gougucms content management system, specifically version 4.08.18, and the Record Endpoint module. No other vendors or product variations were listed, and the issue is limited to this version of gougucms.", "description_and_impact": "A cross\u2011site scripting vulnerability exists in gougucms version 4.08.18 within the Record Endpoint at record.html. An attacker can inject malicious script by manipulating the value.content argument. The flaw is exploitable remotely and a public exploit demonstrates its use. Successful exploitation allows arbitrary script execution in the victim's browser, enabling session hijacking, data theft, or malicious actions performed under the victim's authority. The impact is confined to client\u2011side code execution and does not directly compromise the server or its data.", "risk_and_exploitability": "With a CVSS base score of 5.1, the vulnerability carries a moderate severity. EPSS information is unavailable, and it is not included in the CISA KEV catalog. The publicly available proof\u2011of\u2011concept shows that the exploit can be launched remotely by sending a crafted request to the value.content parameter. Because the attack requires only client interaction with the vulnerable page, the risk is high for users who visit the affected endpoint. The lack of an official vendor patch places the burden of mitigation on site administrators."}}}}, "created": "2026-04-02T07:50:27.917805+00:00", "updated": "2026-04-02T20:18:34.417971+00:00", "vendors": ["gougucms", "gougucms$PRODUCT$gougucms"]}