{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-1183", "assignerOrgId": "0cbda920-cd7f-484a-8e76-bf7f4b7f4516", "state": "PUBLISHED", "assignerShortName": "INCIBE", "dateReserved": "2026-01-19T12:17:38.221Z", "datePublished": "2026-01-20T12:09:05.269Z", "dateUpdated": "2026-01-20T17:51:26.528Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "TransP", "vendor": "Botble", "versions": [{"status": "affected", "version": "all versions"}]}, {"defaultStatus": "unaffected", "product": "Athena", "vendor": "Botble", "versions": [{"status": "affected", "version": "all versions"}]}, {"defaultStatus": "unaffected", "product": "Martfury", "vendor": "Botble", "versions": [{"status": "affected", "version": "all versions"}]}, {"defaultStatus": "unaffected", "product": "Homzen", "vendor": "Botble", "versions": [{"status": "affected", "version": "all versions"}]}], "cpeApplicability": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:botble:transp:all_versions:*:*:*:*:*:*:*", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:a:botble:athena:all_versions:*:*:*:*:*:*:*", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:a:botble:martfury:all_versions:*:*:*:*:*:*:*", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:a:botble:homzen:all_versions:*:*:*:*:*:*:*", "vulnerable": true}], "negate": false, "operator": "OR"}], "operator": "OR"}], "credits": [{"lang": "en", "type": "finder", "value": "Gonzalo Aguilar Garc\u00eda (6h4ack)"}], "datePublic": "2026-01-19T11:00:00.000Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "HTML injection vulnerability in multiple Botble products such as TransP, Athena, Martfury, and Homzen, consisting of an HTML injection due to a lack of proper validation of user input by sending a request to '/search' using the 'q' parameter."}], "value": "HTML injection vulnerability in multiple Botble products such as TransP, Athena, Martfury, and Homzen, consisting of an HTML injection due to a lack of proper validation of user input by sending a request to '/search' using the 'q' parameter."}], "metrics": [{"cvssV4_0": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "baseScore": 5.1, "baseSeverity": "MEDIUM", "exploitMaturity": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "LOW", "userInteraction": "ACTIVE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:N/SI:L/SA:N", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "0cbda920-cd7f-484a-8e76-bf7f4b7f4516", "shortName": "INCIBE", "dateUpdated": "2026-01-20T12:09:05.269Z"}, "references": [{"url": "https://www.incibe.es/en/incibe-cert/notices/aviso/html-injection-multiple-botble-products"}], "source": {"discovery": "EXTERNAL"}, "title": "HTML injection in multiple Botble products", "x_generator": {"engine": "Vulnogram 0.5.0"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-01-20T17:46:40.633842Z", "id": "CVE-2026-1183", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-20T17:51:26.528Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-1183", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-01-20T17:46:40.633842Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-20T17:46:45.361Z"}}], "cna": {"title": "HTML injection in multiple Botble products", "source": {"discovery": "EXTERNAL"}, "credits": [{"lang": "en", "type": "finder", "value": "Gonzalo Aguilar Garc\u00eda (6h4ack)"}], "metrics": [{"format": "CVSS", "cvssV4_0": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 5.1, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:N/SI:L/SA:N", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "ACTIVE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "LOW", "vulnIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Botble", "product": "TransP", "versions": [{"status": "affected", "version": "all versions"}], "defaultStatus": "unaffected"}, {"vendor": "Botble", "product": "Athena", "versions": [{"status": "affected", "version": "all versions"}], "defaultStatus": "unaffected"}, {"vendor": "Botble", "product": "Martfury", "versions": [{"status": "affected", "version": "all versions"}], "defaultStatus": "unaffected"}, {"vendor": "Botble", "product": "Homzen", "versions": [{"status": "affected", "version": "all versions"}], "defaultStatus": "unaffected"}], "datePublic": "2026-01-19T11:00:00.000Z", "references": [{"url": "https://www.incibe.es/en/incibe-cert/notices/aviso/html-injection-multiple-botble-products"}], "x_generator": {"engine": "Vulnogram 0.5.0"}, "descriptions": [{"lang": "en", "value": "HTML injection vulnerability in multiple Botble products such as TransP, Athena, Martfury, and Homzen, consisting of an HTML injection due to a lack of proper validation of user input by sending a request to '/search' using the 'q' parameter.", "supportingMedia": [{"type": "text/html", "value": "HTML injection vulnerability in multiple Botble products such as TransP, Athena, Martfury, and Homzen, consisting of an HTML injection due to a lack of proper validation of user input by sending a request to '/search' using the 'q' parameter.", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')"}]}], "cpeApplicability": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:botble:transp:all_versions:*:*:*:*:*:*:*", "vulnerable": true}], "operator": "OR"}, {"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:botble:athena:all_versions:*:*:*:*:*:*:*", "vulnerable": true}], "operator": "OR"}, {"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:botble:martfury:all_versions:*:*:*:*:*:*:*", "vulnerable": true}], "operator": "OR"}, {"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:botble:homzen:all_versions:*:*:*:*:*:*:*", "vulnerable": true}], "operator": "OR"}], "operator": "OR"}], "providerMetadata": {"orgId": "0cbda920-cd7f-484a-8e76-bf7f4b7f4516", "shortName": "INCIBE", "dateUpdated": "2026-01-20T12:09:05.269Z"}}}, "cveMetadata": {"cveId": "CVE-2026-1183", "state": "PUBLISHED", "dateUpdated": "2026-01-20T17:51:26.528Z", "dateReserved": "2026-01-19T12:17:38.221Z", "assignerOrgId": "0cbda920-cd7f-484a-8e76-bf7f4b7f4516", "datePublished": "2026-01-20T12:09:05.269Z", "assignerShortName": "INCIBE"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "HTML injection vulnerability in multiple Botble products such as TransP, Athena, Martfury, and Homzen, consisting of an HTML injection due to a lack of proper validation of user input by sending a request to '/search' using the 'q' parameter."}, {"lang": "es", "value": "Vulnerabilidad de in inyecci\u00f3n HTML en m\u00faltiples productos de Botble como TransP, Athena, Martfury y Homzen, que consiste en una inyecci\u00f3n HTML debido a una falta de validaci\u00f3n adecuada de la entrada del usuario al enviar una solicitud a '/search' utilizando el par\u00e1metro 'q'."}], "id": "CVE-2026-1183", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 5.1, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "LOW", "userInteraction": "ACTIVE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:N/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "cve-coordination@incibe.es", "type": "Secondary"}]}, "published": "2026-01-20T13:16:03.180", "references": [{"source": "cve-coordination@incibe.es", "url": "https://www.incibe.es/en/incibe-cert/notices/aviso/html-injection-multiple-botble-products"}], "sourceIdentifier": "cve-coordination@incibe.es", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "cve-coordination@incibe.es", "type": "Primary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-18T04:46:41.608708+00:00", "value": {"mitigation_remediation": ["Apply the vendor patch or upgrade Botble Athena, Homzen, Martfury, and TransP to the latest release that addresses the HTML injection flaw.", "If no patch is currently available, sanitize or escape all content returned from the 'q' parameter before rendering it to prevent injection.", "Implement input validation on the 'q' parameter to accept only alphanumeric characters or enforce a whitelist to reduce the attack surface."], "summary": {"action": "Patch", "impact": "HTML Injection (XSS)"}, "threat_synthesis": {"affected_systems": "Affected products include Botble Athena, Homzen, Martfury, and TransP, all versions of each product. The issue is present in all current releases until patched by the vendor.", "description_and_impact": "This vulnerability is an HTML injection flaw that allows an attacker to embed arbitrary markup into the 'q' search parameter, leading to client\u2011side script execution within the context of the victim's browser. The flaw arises because the application fails to properly validate or escape user input before rendering it. The impact can compromise confidentiality, integrity, and availability of the user session through cross\u2011site scripting, potentially enabling session hijacking, data theft, or malicious content injection.", "risk_and_exploitability": "The CVSS score of 5.1 indicates a medium severity vulnerability, and the EPSS score of less than 1% shows a low probability of exploitation at the time of writing. The vulnerability is not listed in the CISA KEV catalog. The likely attack vector is an unauthenticated HTTP request to '/search' with a crafted 'q' parameter that contains malicious HTML. If exploited, an attacker could execute arbitrary JavaScript in the victim\u2019s browser, enabling further cross\u2011site attacks."}}}}, "created": "2026-04-18T05:00:06.022996+00:00", "updated": "2026-04-18T05:00:06.023013+00:00", "vendors": []}