What the vulnerability does
01Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in anibalwainstein Effect Maker effect-maker allows DOM-Based XSS.This issue affects Effect Maker: from n/a through <= 1.2.1.
Explanation of Vulnerability in Simple Terms
02Summary
Effect Maker versions 1.2.1 and earlier contain a cross-site scripting vulnerability that allows attackers to inject malicious scripts. An authenticated user must trick a victim into visiting a crafted page or clicking a link. The injected script executes in the victim's browser with their permissions, potentially compromising their session or data.
What an attacker can do
03Attacker Capabilities
Inject malicious JavaScript that runs in a victim's browser with their permissions.
Potential impact on your site
04Site Impact
Users' sessions or data could be compromised if they interact with attacker-controlled content.
Conditions required to exploit
05Prerequisites
Attacker must have a low-privilege account; victim must click a malicious link or visit a crafted page.
Key dates
06Disclosure timeline
January 8, 2026
CVE published
April 28, 2026
Record updated