{"uuid": "e4517072-e1fa-4be5-b34c-34f3288b3e9f", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "GHSA-4c8j-mgm4-qqvp", "type": "seen", "source": "https://gist.github.com/alon710/89044faa74c1d9de479703a9098fa939", "content": "# CVE-2026-48788: CVE-2026-48788: Cross-Site Scripting and Content-Type Spoofing in Remark42 Image Proxy\n\n> **CVSS Score:** 8.2\n> **Published:** 2026-06-26\n> **Full Report:** https://cvereports.com/reports/CVE-2026-48788\n\n## Summary\nA critical-severity Cross-Site Scripting (XSS) and Content-Type spoofing vulnerability in Remark42 (versions 1.6.0 through 1.15.0) allows remote attackers to execute arbitrary client-side script code via a crafted image proxy request.\n\n## TL;DR\nRemark42 is vulnerable to an interpretation conflict where a malicious remote server spoofing a png content-type header can bypass download filters, forcing Remark42's image proxy to serve executable HTML payloads.\n\n## Exploit Status: POC\n\n## Technical Details\n\n- **CWE ID**: CWE-436, CWE-79\n- **Attack Vector**: Network (AV:N)\n- **CVSS Score**: 8.2 (High)\n- **EPSS Score**: 0.00251\n- **Exploit Status**: PoC\n- **CISA KEV Status**: Not Listed\n\n## Affected Systems\n\n- Remark42 Comment Engine\n- **remark42**: >= 1.6.0, < 1.16.0 (Fixed in: `1.16.0`)\n\n## Mitigation\n\n- Upgrade to version 1.16.0 or higher\n- Enforce X-Content-Type-Options: nosniff header on reverse proxies\n- Disable the image proxy feature if not strictly required\n\n**Remediation Steps:**\n1. Update the Remark42 container image to tag v1.16.0 or higher\n2. Clear any front-end CDN caches associated with /api/v1/img\n3. Verify the presence of X-Content-Type-Options headers in proxy responses\n\n## References\n\n- [NVD CVE-2026-48788 Detail](https://nvd.nist.gov/vuln/detail/CVE-2026-48788)\n- [GHSA-4c8j-mgm4-qqvp Advisory](https://github.com/umputun/remark42/security/advisories/GHSA-4c8j-mgm4-qqvp)\n\n\n---\n*Generated by [CVEReports](https://cvereports.com/reports/CVE-2026-48788) - Automated Vulnerability Intelligence*", "creation_timestamp": "2026-06-26T19:42:06.242732Z"}