CVE-2026-43938

Source
https://cve.org/CVERecord?id=CVE-2026-43938
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-43938.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-43938
Aliases
Published
2026-05-12T13:57:56.951Z
Modified
2026-07-08T08:05:14.276678839Z
Severity
  • 8.1 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N CVSS Calculator
Summary
YAF.NET: Unauthenticated Stored Second-Order XSS in Admin Event Log via Reflected `User-Agent` Header
Details

YetAnotherForum.NET (YAF.NET) is a C# ASP.NET forum. Prior to 4.0.5 and 3.2.12, the application's database logger (YAFNET.Core/Logger/DbLogger.cs) captures the incoming request's User-Agent header into a JObject, serializes it with JsonConvert, and stores the result in the EventLog.Description column whenever an event (e.g., an unhandled exception) is logged. The admin event-log page (YetAnotherForum.NET/Pages/Admin/EventLog.cshtml.cs) later deserializes that JSON in FormatStackTrace() and interpolates the UserAgent value directly into an HTML string with no encoding, and the Razor view EventLog.cshtml emits the result through @Html.Raw. This vulnerability is fixed in 4.0.5 and 3.2.12.

Database specific
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/43xxx/CVE-2026-43938.json",
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
        "CWE-116",
        "CWE-79",
        "CWE-80"
    ]
}
References

Affected packages

Git / github.com/yafnet/yafnet

Affected ranges

Type
GIT
Repo
https://github.com/yafnet/yafnet
Events
Introduced
Fixed
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
Database specific
{
    "source": "AFFECTED_FIELD",
    "extracted_events": [
        {
            "introduced": "4.0.0-beta.1"
        },
        {
            "fixed": "4.0.5"
        },
        {
            "introduced": "0"
        },
        {
            "fixed": "3.2.12"
        }
    ]
}

Affected versions

Other
aspnet20a
complete
complete2
release_0_8_1
release_0_8_2
release_0_9_0
release_0_9_1
release_0_9_2
release_0_9_3
release_0_9_4
release_0_9_5
release_0_9_6
release_0_9_7
release_0_9_8
release_0_9_8B
release_0_9_9
release_0_9_9b
release_1_0_2
release_1_9_4_BETA
release_1_9_4_FINAL
release_1_9_5_5_BETA
release_1_9_5_5_RTW
release_1_9_5_RC1
release_1_9_6_1_RTW
release_1_9_6_BETA1
release_1_9_6_FINAL
release_1_9_6_RC1
release_2_0_0_RC1
start
yaf_dnn2
v2.*
v2.0.0
v2.1
v2.1.2
v2.1.2-beta.1
v2.2.0
v2.2.0-beta.1
v2.2.0-rc.1
v2.2.1
v2.2.1.0-nightly.20
v2.2.2
v2.2.2.0-nightly.76
v2.2.3
v2.2.3.0-nightly.115
v2.2.3.0-nightly.118
v2.2.4.0
v2.2.4.0-nightly
v2.2.4.1
v2.2.4.10
v2.2.4.18
v2.2.4.19
v2.2.4.2
v2.2.4.3
v2.2.4.4
v2.2.4.5
v2.2.4.6
v2.2.4.7
v2.2.4.8
v2.2.4.9
v2.3.0.0
v2.3.0.0-BETA1
v2.3.0.0-beta.2
v2.3.0.0-beta.3
v2.3.0.0-beta.4
v2.3.0.0-rc.1
v2.3.0.0-rc.2
v2.3.0.0-rc.3
v2.3.0.0-rc.4
v2.3.0.0-rc.5
v2.3.0.4
v2.3.0.4-beta.1
v2.3.0.5-beta.1
v2.3.1.0
v3.*
v3.0.2
v3.1.0
v3.1.1
v3.1.10
v3.1.11
v3.1.12
v3.1.13
v3.1.14
v3.1.15
v3.1.2
v3.1.3
v3.1.4
v3.1.5
v3.1.6
v3.1.7
v3.1.8
v3.1.9
v3.2.0
v3.2.1
v3.2.10
v3.2.11
v3.2.2
v3.2.3
v3.2.4
v3.2.5
v3.2.6
v3.2.7
v3.2.8
v3.2.9
v4.*
v4.0.0
v4.0.0-beta.1
v4.0.0-beta.3
v4.0.0-beta.7
v4.0.0-rc.1
v4.0.0-rc.2
v4.0.0-rc.3
v4.0.0-rc.4
v4.0.1
v4.0.2
v4.0.3
v4.0.4

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-43938.json"