CVE-2026-4847 is a cross-site scripting vulnerability identified in dameng100 muucmf version 1.9.5.20260309. The vulnerability resides in an unspecified function within the /admin/config/list.html file, where the 'Name' parameter is improperly sanitized, allowing attackers to inject malicious JavaScript code. This injection occurs when the parameter is manipulated remotely, without requiring authentication, and the attack requires user interaction to trigger the malicious script execution. The vulnerability is classified as medium severity with a CVSS 4.0 base score of 5.3, reflecting its network attack vector, low attack complexity, no privileges required, and user interaction needed. The impact primarily affects the confidentiality and integrity of user sessions by enabling script execution in the victim’s browser context, which can lead to session hijacking, unauthorized actions, or phishing. The vendor was notified early but has not issued any response or patch, and no official remediation is available. The public disclosure of exploit code increases the likelihood of exploitation attempts, although no active exploitation has been confirmed. This vulnerability highlights the importance of proper input validation and output encoding in web applications, especially in administrative interfaces.

The primary impact of CVE-2026-4847 is the compromise of user session confidentiality and integrity through the execution of arbitrary scripts in the victim’s browser. Attackers can leverage this to steal session cookies, perform unauthorized actions on behalf of the user, deface web content, or redirect users to malicious websites. Since the vulnerability is in an administrative interface, successful exploitation could lead to elevated risks if administrators are targeted, potentially resulting in broader system compromise. The lack of authentication requirement lowers the barrier for attackers, but user interaction is necessary, which may limit automated mass exploitation. The public availability of exploit code increases the risk of opportunistic attacks. Organizations relying on dameng100 muucmf 1.9.5.20260309 may face reputational damage, data breaches, and operational disruptions if this vulnerability is exploited. The absence of vendor response and patches prolongs exposure, necessitating immediate mitigation efforts by affected parties.

1. Implement strict input validation and output encoding on the 'Name' parameter in /admin/config/list.html to neutralize malicious script content. 2. Employ Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts in browsers. 3. Restrict access to the administrative interface by IP whitelisting or VPN to reduce exposure to untrusted networks. 4. Educate users, especially administrators, about the risks of clicking on suspicious links or interacting with untrusted content. 5. Monitor web server logs and application behavior for unusual requests targeting the vulnerable parameter. 6. If possible, upgrade to a patched version once the vendor releases one or consider alternative software solutions. 7. Use web application firewalls (WAF) with custom rules to detect and block XSS payloads targeting this vulnerability. 8. Regularly back up configuration and data to enable recovery in case of compromise. 9. Isolate administrative interfaces from public internet access where feasible. 10. Conduct security assessments and penetration testing focused on input validation weaknesses in the application.