{"id":"CVE-2026-14449","summary":"POST-based reflected XSS via the thanks parameter in form components","details":"u5CMS through v12.8.8 is vulnerable to reflected XSS via the ‘thanks’ parameter in multiple form components","modified":"2026-07-15T01:48:50.017791515Z","published":"2026-07-02T11:47:53.387Z","database_specific":{"cna_assigner":"NCSC.ch","osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/14xxx/CVE-2026-14449.json"},"references":[{"type":"WEB","url":"https://github.com/u5cms/u5cms/releases/tag/v12.8.9"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/14xxx/CVE-2026-14449.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-14449"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/u5cms/u5cms","events":[{"introduced":"0"},{"fixed":"9f63199d720f7b22b023791fd9d7a46b2f19c5ed"}],"database_specific":{"extracted_events":[{"introduced":"0"},{"last_affected":"12.8.8"}],"source":["AFFECTED_FIELD","REFERENCES"]}}],"versions":["v12.8.8","v12.8.7","v12.8.6","v12.8.5","v12.8.4","v12.8.3","v12.8.2","v12.8.1","v12.8.0","v12.8.0-rc.2","v12.8.0-rc.1","v12.7.48","v12.7.47","v12.7.46","v12.7.45","v12.7.44","v12.7.43","v12.7.42","v12.7.41","v12.7.40","v12.7.39","v12.7.38","v12.7.37","v12.7.36","v12.7.35","v12.7.34","v12.7.33","v12.7.32","v12.7.31","v12.7.30","v12.7.29","v12.7.27","v12.7.26","v12.7.25","v12.7.24","v12.7.23","v12.7.22","v12.7.21","v12.7.20","v12.7.19","v12.7.18","v12.7.17","v12.7.16","v12.7.15","v12.7.14","v12.7.13","v12.7.12","v12.7.11","v12.7.10","v12.7.9","v12.7.8","v12.7.7","v12.7.6","v12.7.5","v12.7.4","v12.7.3","v12.7.2","v12.7.1","v12.7.0","v12.6.12","v12.6.11","v12.6.10","v12.6.9","v12.6.8","v12.6.7","v12.6.6","v12.6.5","v12.6.4","v12.6.3","v12.6.2","v12.6.1","v12.5.10","v12.5.8","v12.5.7","v12.5.6","v12.5.5","v12.5.4","v12.5.3","v12.5.2","v12.4.9","v12.4.6","v12.4.5","v12.4.4","v12.4.3","v12.4.2","v12.4.0","v12.2.2","v12.2.1","v12.1.0","v12.0.0","v11.0.1","v11.0.0","v10.3.3","v10.3.2","v10.3.1","v10.3.0","v10.2.0","v8.4.0","v10.1.3","v10.1.2","v10.1.1","v10.1.0","v10.0.0","v10.0.0-b4","v10.0.0-b3","v10.0.0-b2","v10.0.0-b1","v8.3.5"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-14449.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V4","score":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:H/SI:H/SA:H"}]}