CVE-2026-53737
MediumCVSS 6.1Exploitation Probability (EPSS)
Low risk9th percentile - higher than 9% of all known CVEs
Summary
Juicer through 1.12.18 fails to escape remote feed API response fields before rendering them on the admin settings page. Attackers controlling the connected feed data can inject script that executes in an administrator's browser when the settings page loads.
Risk Assessment
This vulnerability could lead to the execution of malicious code in the administrator's browser, posing a risk of system takeover or data theft.
Recommendation
It is recommended to update Juicer to the latest version that fixes this vulnerability and to implement appropriate security measures to filter data from remote sources.
Original NVD description (English source)
Juicer through 1.12.18 fails to escape remote feed API response fields before rendering them on the admin settings page. Attackers controlling the connected feed data can inject script that executes in an administrator's browser when the settings page loads.

