{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-32774", "assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "state": "PUBLISHED", "assignerShortName": "VulnCheck", "dateReserved": "2026-03-14T21:26:03.800Z", "datePublished": "2026-03-14T21:44:07.130Z", "dateUpdated": "2026-03-19T17:49:50.974Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "shortName": "VulnCheck", "dateUpdated": "2026-03-17T20:16:37.588Z"}, "title": "Vulnogram - Stored Cross-Site Scripting via Comment Hypertext", "datePublic": "2026-03-13T00:00:00.000Z", "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "type": "CWE"}]}], "affected": [{"vendor": "Vulnogram", "product": "Vulnogram", "versions": [{"status": "affected", "version": "1.0.0"}], "defaultStatus": "unaffected"}], "cpeApplicability": [{"operator": "OR", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:vulnogram:vulnogram:1.0.0:*:*:*:*:*:*:*"}]}]}], "descriptions": [{"lang": "en", "value": "Vulnogram 1.0.0 contains a stored cross-site scripting vulnerability in comment hypertext handling that allows attackers to inject malicious scripts. Remote attackers can inject XSS payloads through comments to execute arbitrary JavaScript in victims' browsers.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "<p>Vulnogram 1.0.0 contains a stored cross-site scripting vulnerability in comment hypertext handling that allows attackers to inject malicious scripts. Remote attackers can inject XSS payloads through comments to execute arbitrary JavaScript in victims' browsers.</p>"}]}], "references": [{"url": "https://github.com/Vulnogram/Vulnogram/security/advisories/GHSA-pg4p-2985-gvxr", "name": "https://github.com/Vulnogram/Vulnogram/security/advisories/GHSA-pg4p-2985-gvxr", "tags": ["third-party-advisory"]}, {"url": "https://github.com/Vulnogram/Vulnogram", "name": "https://github.com/Vulnogram/Vulnogram", "tags": ["product"]}, {"url": "https://www.vulncheck.com/advisories/vulnogram-stored-cross-site-scripting-via-comment-hypertext", "name": "VulnCheck Advisory: Vulnogram - Stored Cross-Site Scripting via Comment Hypertext", "tags": ["third-party-advisory"]}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "PASSIVE", "vulnConfidentialityImpact": "NONE", "subConfidentialityImpact": "LOW", "vulnIntegrityImpact": "NONE", "subIntegrityImpact": "LOW", "vulnAvailabilityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "version": "4.0", "baseSeverity": "MEDIUM", "baseScore": 5.3, "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N"}}, {"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV3_1": {"version": "3.1", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE", "baseSeverity": "MEDIUM", "baseScore": 6.4, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N"}}], "credits": [{"lang": "en", "value": "Scott Moore - VulnCheck", "type": "finder"}], "source": {"discovery": "UNKNOWN"}, "x_generator": {"engine": "vulncheck"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-32774", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-16T14:16:20.173901Z"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-16T14:20:21.320Z"}}, {"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2026-03-19T17:49:50.974Z"}, "references": [{"url": "https://github.com/Vulnogram/Vulnogram/commit/2f0e21b113c58124084c7b74c9768fc241126a05"}], "title": "CVE Program Container", "x_generator": {"engine": "ADPogram 0.0.1"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://github.com/Vulnogram/Vulnogram/commit/2f0e21b113c58124084c7b74c9768fc241126a05"}], "x_generator": {"engine": "ADPogram 0.0.1"}, "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2026-03-19T17:49:50.974Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-32774", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-16T14:16:20.173901Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-16T14:18:03.304Z"}}], "cna": {"title": "Vulnogram - Stored Cross-Site Scripting via Comment Hypertext", "source": {"discovery": "UNKNOWN"}, "credits": [{"lang": "en", "type": "finder", "value": "Scott Moore - VulnCheck"}], "metrics": [{"format": "CVSS", "cvssV4_0": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 5.3, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "PASSIVE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "LOW", "vulnIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "LOW", "vulnConfidentialityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}, {"format": "CVSS", "cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 6.4, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Vulnogram", "product": "Vulnogram", "versions": [{"status": "affected", "version": "1.0.0"}], "defaultStatus": "unaffected"}], "datePublic": "2026-03-13T00:00:00.000Z", "references": [{"url": "https://github.com/Vulnogram/Vulnogram/security/advisories/GHSA-pg4p-2985-gvxr", "name": "https://github.com/Vulnogram/Vulnogram/security/advisories/GHSA-pg4p-2985-gvxr", "tags": ["third-party-advisory"]}, {"url": "https://github.com/Vulnogram/Vulnogram", "name": "https://github.com/Vulnogram/Vulnogram", "tags": ["product"]}, {"url": "https://www.vulncheck.com/advisories/vulnogram-stored-cross-site-scripting-via-comment-hypertext", "name": "VulnCheck Advisory: Vulnogram - Stored Cross-Site Scripting via Comment Hypertext", "tags": ["third-party-advisory"]}], "x_generator": {"engine": "vulncheck"}, "descriptions": [{"lang": "en", "value": "Vulnogram 1.0.0 contains a stored cross-site scripting vulnerability in comment hypertext handling that allows attackers to inject malicious scripts. Remote attackers can inject XSS payloads through comments to execute arbitrary JavaScript in victims' browsers.", "supportingMedia": [{"type": "text/html", "value": "<p>Vulnogram 1.0.0 contains a stored cross-site scripting vulnerability in comment hypertext handling that allows attackers to inject malicious scripts. Remote attackers can inject XSS payloads through comments to execute arbitrary JavaScript in victims' browsers.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "cpeApplicability": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:vulnogram:vulnogram:1.0.0:*:*:*:*:*:*:*", "vulnerable": true}], "operator": "OR"}], "operator": "OR"}], "providerMetadata": {"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "shortName": "VulnCheck", "dateUpdated": "2026-03-17T20:16:37.588Z"}}}, "cveMetadata": {"cveId": "CVE-2026-32774", "state": "PUBLISHED", "dateUpdated": "2026-03-19T17:49:50.974Z", "dateReserved": "2026-03-14T21:26:03.800Z", "assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "datePublished": "2026-03-14T21:44:07.130Z", "assignerShortName": "VulnCheck"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:vulnogram:vulnogram:1.0.0:beta1:*:*:*:*:*:*", "matchCriteriaId": "A71AC629-8977-468C-BCC9-97B3C63374F5", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Vulnogram 1.0.0 contains a stored cross-site scripting vulnerability in comment hypertext handling that allows attackers to inject malicious scripts. Remote attackers can inject XSS payloads through comments to execute arbitrary JavaScript in victims' browsers."}, {"lang": "es", "value": "Vulnogram 1.0.0 contiene una vulnerabilidad de cross-site scripting almacenado en el manejo de hipertexto de comentarios que permite a los atacantes inyectar scripts maliciosos. Los atacantes remotos pueden inyectar cargas \u00fatiles de XSS a trav\u00e9s de comentarios para ejecutar JavaScript arbitrario en los navegadores de las v\u00edctimas."}], "id": "CVE-2026-32774", "lastModified": "2026-03-20T18:26:35.590", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.1, "impactScore": 2.7, "source": "disclosure@vulncheck.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.3, "impactScore": 2.7, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "LOW", "subIntegrityImpact": "LOW", "userInteraction": "PASSIVE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "disclosure@vulncheck.com", "type": "Secondary"}]}, "published": "2026-03-16T14:19:44.207", "references": [{"source": "disclosure@vulncheck.com", "tags": ["Product"], "url": "https://github.com/Vulnogram/Vulnogram"}, {"source": "disclosure@vulncheck.com", "tags": ["Broken Link"], "url": "https://github.com/Vulnogram/Vulnogram/security/advisories/GHSA-pg4p-2985-gvxr"}, {"source": "disclosure@vulncheck.com", "tags": ["Third Party Advisory"], "url": "https://www.vulncheck.com/advisories/vulnogram-stored-cross-site-scripting-via-comment-hypertext"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch"], "url": "https://github.com/Vulnogram/Vulnogram/commit/2f0e21b113c58124084c7b74c9768fc241126a05"}], "sourceIdentifier": "disclosure@vulncheck.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "disclosure@vulncheck.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "1.0.0"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "Vulnogram", "source": "cna", "vendor": "Vulnogram"}, "product": "vulnogram", "vendor": "vulnogram"}], "analysis": {"en": {"generated_at": "2026-03-20T19:52:48.718817+00:00", "value": {"mitigation_remediation": ["Upgrade to the latest Vulnogram release that includes the XSS fix", "If an upgrade is not yet possible, add server\u2011side input sanitization for comment data", "As a temporary measure, disable the comment functionality until a patch is applied", "Regularly review comment sections for suspicious entries"], "summary": {"action": "Patch", "impact": "Stored Cross\u2011Site Scripting execution in victims\u2019 browsers"}, "threat_synthesis": {"affected_systems": "All installations of Vulnogram version 1.0.0, including the beta1 build, that expose public comment posting are vulnerable.", "description_and_impact": "Vulnogram 1.0.0 holds a stored cross\u2011site scripting flaw in the way comment hypertext is processed. Attackers can inject malicious script code into comments, which is then executed by any browser that renders the comment.", "risk_and_exploitability": "The CVSS score of 5.3 indicates a moderate impact, while the EPSS of less than 1\u202f% reflects a very low probability of exploitation. The vulnerability is not listed in the CISA KEV catalog. Attackers can reach the flaw through the normal comment submission interface; the compromise occurs only within the victim\u2019s browser and does not affect the server itself."}}}}, "created": "2026-03-16T09:22:19.446924+00:00", "updated": "2026-03-23T13:39:05.031661+00:00", "vendors": ["vulnogram", "vulnogram$PRODUCT$vulnogram"]}