CVE Catalog

CVE-2026-40457

LowCVSS 2.1
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.32%

23th percentile — higher than 23% of all known CVEs

Summary

A Reflected Cross-Site Scripting (XSS) vulnerability exists in LMS (LAN Management System) before commit 9c5651b in the 'dbrecover.php' and 'netremap.php' modules where unsanitized GET parameters are directly embedded into HTML output. This allows an attacker to inject arbitrary JavaScript when an authenticated user clicks a crafted link.

Risk Assessment

This vulnerability could lead to session hijacking or data theft, posing a serious security risk to the organization.

Recommendation

It is recommended to update the LMS system to the latest version and implement proper input sanitization mechanisms to prevent code injection.

Original NVD description (English source)

A Reflected Cross-Site Scripting (XSS) vulnerability exists in LMS (LAN Management System) before commit 9c5651b in the "dbrecover.php" and "netremap.php" modules where unsanitized GET parameters are directly embedded into HTML output. This allows an attacker to inject arbitrary JavaScript when an authenticated user clicks a crafted link, provided the required conditions (such as a network defined in the system) are met.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS