This vulnerability (CVE-2026-42656) is a CWE-79 Cross-Site Scripting (XSS) flaw in Wasiliy Strecker's Contest Gallery software, affecting versions up to 28.1.6. It arises from improper neutralization of input during web page generation, allowing an attacker with subscriber-level privileges to inject malicious scripts. The CVSS 3.1 score is 6.5 (medium), reflecting network attack vector, low attack complexity, required privileges at the subscriber level, user interaction needed, and impacts on confidentiality, integrity, and availability at a low level. No known exploits are reported in the wild, and no vendor-provided patch or official remediation is currently documented.

Successful exploitation can lead to partial compromise of confidentiality, integrity, and availability of the affected system, potentially allowing execution of malicious scripts in the context of other users. This could result in session hijacking, data manipulation, or denial of service conditions. However, the attack requires subscriber privileges and user interaction, limiting the scope of impact.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, consider restricting subscriber input or applying web application firewall (WAF) rules to detect and block malicious script payloads related to this vulnerability. Monitor vendor channels for updates and patches.