CVE Catalog

CVE-2026-38579

MediumCVSS 6.1
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.08%

23th percentile - higher than 23% of all known CVEs

Summary

Multiple reflected Cross-Site Scripting (XSS) vulnerabilities in damasac thaipalliative_lte through version 3.0 allow remote attackers to inject arbitrary web script or HTML via the idFormMain, id, and ptid_key parameters in /substudy/ezform.php.

Risk Assessment

Attackers can exploit these vulnerabilities to conduct XSS attacks, potentially leading to user data theft or session hijacking.

Recommendation

It is recommended to validate and encode user input before displaying it in HTML and to update to the latest version of the software to eliminate these vulnerabilities.

Original NVD description (English source)

Multiple reflected Cross-Site Scripting (XSS) vulnerabilities in damasac thaipalliative_lte through version 3.0 allow remote attackers to inject arbitrary web script or HTML via the idFormMain parameter (line 24), the id parameter (lines 25, 75), and the ptid_key parameter (lines 26, 42) in /substudy/ezform.php. User input is echoed into HTML attributes and JavaScript contexts without encoding.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS