CVE-2023-53936 MEDIUM

CVE-2023-53936: Cameleon CMS 2.7.4 Authenticated Persistent Cross-Site Scripting via Post Creation

Vendor Tuzitio

Product Cameleon CMS

Weakness CWE-79 · XSS

Published December 18, 2025

Last update April 7, 2026

View on NVD All CVEs

CVSS base score

5.1/10

Attack vector Network

Attack complexity Low

Privileges required Low

User interaction —

Confidentiality —

Integrity —

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N

What the vulnerability does

01Description

Cameleon CMS 2.7.4 contains a persistent cross-site scripting vulnerability that allows authenticated administrators to inject malicious scripts into post titles. Attackers can create posts with embedded SVG scripts that execute when other users mouse over the post title, potentially stealing session cookies and executing arbitrary JavaScript.

Key dates

02Disclosure timeline

December 18, 2025 CVE published

April 7, 2026 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2023-53936

Related vulnerabilities

CVE-2023-53936: Cameleon CMS 2.7.4 Authenticated Persistent Cross-Site Scripting via Post Creation

01Description

02Disclosure timeline

03References

04Related CVE