{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-5010", "assignerOrgId": "0cbda920-cd7f-484a-8e76-bf7f4b7f4516", "state": "PUBLISHED", "assignerShortName": "INCIBE", "dateReserved": "2026-03-27T14:00:08.759Z", "datePublished": "2026-03-27T14:35:06.783Z", "dateUpdated": "2026-03-27T15:08:30.583Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "0cbda920-cd7f-484a-8e76-bf7f4b7f4516", "shortName": "INCIBE", "dateUpdated": "2026-03-27T14:35:06.783Z"}, "title": "Reflected Cross-Site Scripting (XSS) in Sanoma\u2019s Clickedu", "datePublic": "2026-03-23T11:00:00.000Z", "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-79", "description": "CWE-79 Improper neutralization of input during web page generation ('cross-site scripting')", "type": "CWE"}]}], "affected": [{"vendor": "Sanoma", "product": "Clickedu", "versions": [{"status": "affected", "version": "0", "lessThan": "5.1", "versionType": "custom"}, {"status": "unaffected", "version": "5.1"}], "defaultStatus": "unaffected"}], "cpeApplicability": [{"operator": "OR", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:sanoma:clickedu:*:*:*:*:*:*:*:*", "versionStartIncluding": "0", "versionEndExcluding": "5.1"}, {"vulnerable": false, "criteria": "cpe:2.3:a:sanoma:clickedu:5.1:*:*:*:*:*:*:*"}]}]}], "descriptions": [{"lang": "en", "value": "A reflected Cross-Site Scripting (XSS) vulnerability has been discovered in Clickedu. This vulnerability allows an attacker to execute JavaScript code in the victim\u2019s browser by sending them a malicious URL using the endpoint \u201c/user.php/\u201d. This vulnerability can be exploited to steal sensitive user data, such as session cookies, or to perform actions on the user\u2019s behalf.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "A reflected Cross-Site Scripting (XSS) vulnerability has been discovered in Clickedu. This vulnerability allows an attacker to execute JavaScript code in the victim\u2019s browser by sending them a malicious URL using the endpoint \u201c/user.php/\u201d. This vulnerability can be exploited to steal sensitive user data, such as session cookies, or to perform actions on the user\u2019s behalf. "}]}], "references": [{"url": "https://www.incibe.es/en/incibe-cert/notices/aviso/reflected-cross-site-scripting-xss-sanomas-clickedu-0", "tags": ["patch"]}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "ACTIVE", "vulnConfidentialityImpact": "NONE", "subConfidentialityImpact": "LOW", "vulnIntegrityImpact": "NONE", "subIntegrityImpact": "LOW", "vulnAvailabilityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "version": "4.0", "baseSeverity": "MEDIUM", "baseScore": 5.1, "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N"}}], "solutions": [{"lang": "en", "value": "The vulnerability has been fixed by the Sanoma team in version 5.1.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "The vulnerability has been fixed by the Sanoma team in version 5.1."}]}], "credits": [{"lang": "en", "value": "Gonzalo Aguilar Garc\u00eda (6h4ack)", "type": "finder"}], "source": {"discovery": "EXTERNAL"}, "x_generator": {"engine": "Vulnogram 1.0.1"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-27T15:05:06.423960Z", "id": "CVE-2026-5010", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-27T15:08:30.583Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-5010", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-27T15:05:06.423960Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-27T15:05:36.207Z"}}], "cna": {"title": "Reflected Cross-Site Scripting (XSS) in Sanoma\u2019s Clickedu", "source": {"discovery": "EXTERNAL"}, "credits": [{"lang": "en", "type": "finder", "value": "Gonzalo Aguilar Garc\u00eda (6h4ack)"}], "metrics": [{"format": "CVSS", "cvssV4_0": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 5.1, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "ACTIVE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "LOW", "vulnIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "LOW", "vulnConfidentialityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Sanoma", "product": "Clickedu", "versions": [{"status": "affected", "version": "0", "lessThan": "5.1", "versionType": "custom"}, {"status": "unaffected", "version": "5.1"}], "defaultStatus": "unaffected"}], "solutions": [{"lang": "en", "value": "The vulnerability has been fixed by the Sanoma team in version 5.1.", "supportingMedia": [{"type": "text/html", "value": "The vulnerability has been fixed by the Sanoma team in version 5.1.", "base64": false}]}], "datePublic": "2026-03-23T11:00:00.000Z", "references": [{"url": "https://www.incibe.es/en/incibe-cert/notices/aviso/reflected-cross-site-scripting-xss-sanomas-clickedu-0", "tags": ["patch"]}], "x_generator": {"engine": "Vulnogram 1.0.1"}, "descriptions": [{"lang": "en", "value": "A reflected Cross-Site Scripting (XSS) vulnerability has been discovered in Clickedu. This vulnerability allows an attacker to execute JavaScript code in the victim\u2019s browser by sending them a malicious URL using the endpoint \u201c/user.php/\u201d. This vulnerability can be exploited to steal sensitive user data, such as session cookies, or to perform actions on the user\u2019s behalf.", "supportingMedia": [{"type": "text/html", "value": "A reflected Cross-Site Scripting (XSS) vulnerability has been discovered in Clickedu. This vulnerability allows an attacker to execute JavaScript code in the victim\u2019s browser by sending them a malicious URL using the endpoint \u201c/user.php/\u201d. This vulnerability can be exploited to steal sensitive user data, such as session cookies, or to perform actions on the user\u2019s behalf. ", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79 Improper neutralization of input during web page generation ('cross-site scripting')"}]}], "cpeApplicability": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:sanoma:clickedu:*:*:*:*:*:*:*:*", "vulnerable": true, "versionEndExcluding": "5.1", "versionStartIncluding": "0"}, {"criteria": "cpe:2.3:a:sanoma:clickedu:5.1:*:*:*:*:*:*:*", "vulnerable": false}], "operator": "OR"}], "operator": "OR"}], "providerMetadata": {"orgId": "0cbda920-cd7f-484a-8e76-bf7f4b7f4516", "shortName": "INCIBE", "dateUpdated": "2026-03-27T14:35:06.783Z"}}}, "cveMetadata": {"cveId": "CVE-2026-5010", "state": "PUBLISHED", "dateUpdated": "2026-03-27T15:08:30.583Z", "dateReserved": "2026-03-27T14:00:08.759Z", "assignerOrgId": "0cbda920-cd7f-484a-8e76-bf7f4b7f4516", "datePublished": "2026-03-27T14:35:06.783Z", "assignerShortName": "INCIBE"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "A reflected Cross-Site Scripting (XSS) vulnerability has been discovered in Clickedu. This vulnerability allows an attacker to execute JavaScript code in the victim\u2019s browser by sending them a malicious URL using the endpoint \u201c/user.php/\u201d. This vulnerability can be exploited to steal sensitive user data, such as session cookies, or to perform actions on the user\u2019s behalf."}], "id": "CVE-2026-5010", "lastModified": "2026-05-19T15:43:28.500", "metrics": {"cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 5.1, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "LOW", "subIntegrityImpact": "LOW", "userInteraction": "ACTIVE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "cve-coordination@incibe.es", "type": "Secondary"}]}, "published": "2026-03-27T15:17:04.113", "references": [{"source": "cve-coordination@incibe.es", "url": "https://www.incibe.es/en/incibe-cert/notices/aviso/reflected-cross-site-scripting-xss-sanomas-clickedu-0"}], "sourceIdentifier": "cve-coordination@incibe.es", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "cve-coordination@incibe.es", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,5.1)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "generic", "value": "5.1"}}], "enrichment": {"confidence": 95.0, "confidence_source": "inferred", "scores": [{"score": 95.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "Clickedu", "source": "cna", "vendor": "Sanoma"}, "product": "clickedu", "vendor": "sanoma"}], "analysis": {"en": {"generated_at": "2026-03-27T15:50:22.684621+00:00", "value": {"mitigation_remediation": ["Update Clickedu to version\u202f5.1 or later", "If an update is not yet available, block or restrict access to the \"/user.php/\" endpoint", "Ensure all user input is properly encoded or sanitized", "Warn users about phishing attempts containing malicious URLs"], "summary": {"action": "Patch immediately", "impact": "Execute malicious JavaScript in the victim\u2019s browser to steal cookies or perform actions on the user\u2019s behalf"}, "threat_synthesis": {"affected_systems": "The flaw affects Sanoma Clickedu before version\u202f5.1. The vendor released a fix in Clickedu\u202f5.1.", "description_and_impact": "A reflected Cross\u2011Site Scripting (XSS) flaw exists in Clickedu\u2019s \"/user.php/\" endpoint. An attacker can embed malicious JavaScript in a URL that, when visited by a user, runs in the victim\u2019s browser. This can steal session cookies and enable the attacker to perform unauthorized actions on the user\u2019s behalf.", "risk_and_exploitability": "The CVSS score of 5.1 indicates moderate severity. No EPSS score is available and the vulnerability is not listed in the CISA KEV catalog, suggesting it may not have widespread exploitation yet. Attackers can use the flaw by crafting a malicious URL and luring users to it, which can be carried out remotely without authentication."}}}}, "created": "2026-03-27T20:28:26.222072+00:00", "updated": "2026-03-30T07:01:40.828380+00:00", "vendors": ["sanoma", "sanoma$PRODUCT$clickedu"]}