CVE-2026-38949

CVSS 8.9 HIGHEPSS 0.4%CWE-79

Cross-Site Scripting (XSS) vulnerability exists in HTMLy version 3.1.1 in the content creation functionality at the /add/content?type=image endpoint. The application fails to properly sanitize user input, allowing injection of arbitrary code

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:L

Affected products

n/a · n/a

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://github.com/Chittu13/cve-research/blob/main/CVE-2026-38949/README.md https://github.com/danpros/htmly https://youtu.be/3e-tzUMCox8