{"vulnerability": "CVE-2026-38908", "sightings": [{"uuid": "eabaf8ec-60f0-498c-b795-f638eb2c3817", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-38908", "type": "seen", "source": "https://gist.github.com/iamthana/e5d36a822218cf8e659c4de041a3c32d", "content": "# CVE-2026-38908: Cross-Site Scripting (XSS) in PamornT flex2html\n\n## [Vulnerability Description]\nCross-Site Scripting (XSS) in the text_object function of PamornT flex2html allows remote attackers to inject arbitrary JavaScript or HTML via unescaped user-supplied data in a LINE Flex Message.\n\n## [Product/Vendor Information]\n- Vendor: PamornT\n- Product: flex2html\n- Affected Version: All versions up to commit 2757c2e\n- Affected Component: The 'text_object' function within 'js/flex2html.js'\n\n## [Vulnerability Type]\nCross-Site Scripting (XSS)\n\n## [Attack Type]\nRemote\n\n## [Impact]\nInformation Disclosure / Arbitrary Code Execution\n\n## [Attack Vectors / Proof of Concept (PoC)]\nAn attacker can inject a malicious XSS payload into user-supplied data (such as a LINE display name or a chat message). The backend system then incorporates this unescaped data into a LINE Flex Message JSON object. \n\nWhen a web application uses the flex2html library to render this Flex Message, the text_object function processes the malicious input without proper HTML sanitization, leading to DOM injection and execution in the victim's browser when they view the page.\n\n## [References]\n- https://github.com/PamornT/flex2html/issues/17\n\n## [Discoverer]\nThana Tingprasom, Incognito Lab (https://incognitolab.com)", "creation_timestamp": "2026-05-24T14:57:32.000000Z"}]}