CVE-2026-54221— Reflected XSS in UBB.threads
Possible ATT&CK Techniques 2AI
T1059 · Command and Scripting Interpreter T1189 · Drive-by CompromiseAffected Version Matrix 1
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| UBB Systems | UBB.threads | ≤ 7.7.5 | affected |
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2026-54221
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Reflected XSS in UBB.threads
Source: NVD (National Vulnerability Database)
Vulnerability Description
UBB.threads is vulnerable to Reflected XSS. The application improperly handles user input in certain requests, enabling attackers to execute arbitrary JavaScript in the context of a victim's browser by tricking them into clicking a crafted link. Because vendor contact attempts were unsuccessful, the vulnerability has only been confirmed in version 7.7.5 but may also affect other versions.
Source: NVD (National Vulnerability Database)
CVSS Information
N/A
Source: NVD (National Vulnerability Database)
Vulnerability Type
在Web页面生成时对输入的转义处理不恰当(跨站脚本)
Source: NVD (National Vulnerability Database)
Affected Products
| Vendor | Product | Affected Versions | CPE | Subscribe |
|---|---|---|---|---|
| UBB Systems | UBB.threads | 0 ~ 7.7.5 | - |
II. Public POCs for CVE-2026-54221
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2026-54221
请登录查看更多情报信息。
Security Blog Posts for CVE-2026-54221 (1)
- 🔗 Vulnerabilities in UBB.threads software | CERT Polskathird-party-advisory
Same Patch Batch · UBB Systems · 2026-06-18 · 6 CVEs total
| CVE-2026-54224 | Denial of Service in UBB.threads | |
| CVE-2026-54222 | Blind SQL Injection in UBB.threads | |
| CVE-2026-54219 | Stored XSS in UBB.threads | |
| CVE-2026-54223 | Remote Code Execution via arbitrary file read and write in UBB.threads | |
| CVE-2026-54220 | Cross-Site Request Forgery in UBB.threads |
IV. Related Vulnerabilities
Same weakness: CWE-79
- CVE-2026-57656
WordPress Hester Core plugin <= 1.1.8 - Cross Site Scripting - CVE-2026-57651
WordPress Ghost Kit plugin <= 3.6.0 - Cross Site Scripting ( - CVE-2026-57650
WordPress Magazine Blocks plugin <= 1.8.3 - Cross Site Scrip - CVE-2026-57638
WordPress Fluent Booking plugin <= 2.1.0 - Cross Site Script - CVE-2026-57629
WordPress StatCounter plugin <= 2.1.1 - Cross Site Scripting
V. Comments for CVE-2026-54221
No comments yet