{"id":"CVE-2026-32774","details":"Vulnogram 1.0.0 contains a stored cross-site scripting vulnerability in comment hypertext handling that allows attackers to inject malicious scripts. Remote attackers can inject XSS payloads through comments to execute arbitrary JavaScript in victims' browsers.","aliases":["GHSA-pg4p-2985-gvxr","GHSA-vggc-6pg2-xvp9"],"modified":"2026-04-02T13:41:06.065726Z","published":"2026-03-16T14:19:44.207Z","references":[{"type":"ADVISORY","url":"https://github.com/Vulnogram/Vulnogram/security/advisories/GHSA-pg4p-2985-gvxr"},{"type":"ADVISORY","url":"https://www.vulncheck.com/advisories/vulnogram-stored-cross-site-scripting-via-comment-hypertext"},{"type":"FIX","url":"https://github.com/Vulnogram/Vulnogram/commit/2f0e21b113c58124084c7b74c9768fc241126a05"},{"type":"PACKAGE","url":"https://github.com/Vulnogram/Vulnogram"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/Vulnogram/Vulnogram","events":[{"introduced":"0"},{"last_affected":"271c48eccdc23400e108cf823d11e2e5ce7be8d2"}],"database_specific":{"versions":[{"introduced":"0"},{"last_affected":"1.0.0-beta1"}]}},{"type":"GIT","repo":"https://github.com/vulnogram/vulnogram","events":[{"introduced":"0"},{"fixed":"2f0e21b113c58124084c7b74c9768fc241126a05"}]}],"versions":["v0.0.5","v0.0.6","v0.0.9","v0.1.0-rc1","v1.0.0-beta1"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-32774.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"}]}